Full Report
The pattern which emerged was that attackers prefer to work in a low complexity and low effort manner. Most victims were compromised through RDP and frequently after that attackers use off-the-shelf tools for discovery and lateral movement such as network scanners, local privilege escalation exploits (LPE) for privilege escalation, AV killers such as vulnerable drivers, process terminators, targeted uninstall software, credential access tools such as Mimikatz, and other steps from the kill chain. What was interesting to see was their collection of local privilege escalation exploits and that on a few occasions we saw GuLoader being used. GuLoader is a loader type of malware that was first discovered in late 2019 and is known for delivering different types of second-stage malware. It is known to drop malware such as AgentTesla, FormBook, XLoader, Lokibot and more.
Analysis Summary
# Tool/Technique: GuLoader
## Overview
GuLoader is a loader type of malware known for delivering various types of second-stage malware payloads. It was first discovered in late 2019 and is integrated by threat actors, such as those behind the Makop ransomware strain, to bypass security measures and introduce further malicious components.
## Technical Details
- Type: Malware family (Loader/Downloader)
- Platform: Not explicitly stated, but implied to be Windows given the context of common victim environments (RDP) and dropped malware (AgentTesla, FormBook, etc.).
- Capabilities: Delivering second-stage malware; known for bypassing security solutions (sometimes using VMProtect packed samples of tools).
- First Seen: Late 2019
## MITRE ATT&CK Mapping
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Implied, as loaders often obfuscate payloads)
* **TA0002 - Execution**
* T1204 - User Execution (If delivered via user interaction, although RDP initial access negates this for the initial dropper)
* T1055 - Process Injection (Loaders often utilize injection to execute secondary payloads)
## Functionality
### Core Capabilities
- Acts as a downloader for subsequent malware stages.
- Delivers known malware families including AgentTesla, FormBook, XLoader, and Lokibot.
### Advanced Features
- Attackers sometimes use VMProtect packed samples of related tools to bypass security solutions.
## Indicators of Compromise
- File Hashes:
- `5ff803269d6491dd3f0267f6f07b8869e3f08d62cf2110b552bba2cc3d75d26a` (Associated sample)
- `c8afb68260b9036d8e65811927c379112274a2526cc161c7f1502457a501a0d3` (Associated sample)
- `01f34180bb635022681723eef73c19adf330d7a32a2e6639c27b1ee5777312be` (Associated sample)
- `c8e8cca4ee3c4f4ce4f2076ed93cca058fa1ff88d5ffe49d8d293b27ad25ef68` (Associated sample)
- `8315327f22eff069457c02ddda1ea32a31964e1b8ab688709bcb96c6ccbb6212` (Associated sample)
- File Names: (Not specified for GuLoader itself, but contextually dropped alongside tools under paths like `C:\Users\Public\Music\Bug` or `.Bug`)
- Registry Keys: [Not specified]
- Network Indicators: [Not specified]
- Behavioral Indicators: Attempts to download and execute additional secondary payloads; utilized in the kill chain following RDP compromise.
## Associated Threat Actors
- Threat actors deploying **Makop Ransomware**.
## Detection Methods
- Signature-based detection (for known hashes).
- Behavioral detection targeting unusual download/execution patterns indicative of a loader initiating second-stage malware delivery.
## Mitigation Strategies
- Deploy robust endpoint detection and response (EDR) capable of monitoring process injection and suspicious payload delivery.
- Regularly patch and closely monitor RDP services, ensuring strong authentication policies, MFA, and network segmentation to prevent initial access.
## Related Tools/Techniques
- Ransomware strains that rely on loaders (e.g., Makop, Phobos variants).
- Other common loaders/droppers if observed in the environment.
***
# Tool/Technique: Off-the-shelf Tools (General Category)
## Overview
A collection of publicly available, commercially available, or open-source utilities utilized by threat actors for efficiency ("low complexity and low effort"). These tools cover various stages post-initial access, including reconnaissance, privilege escalation, and defense evasion.
## Technical Details
- Type: Tool (Collection of Utilities)
- Platform: Primarily Windows (Implied by RDP entry and tools like Mimikatz, LPE exploits targeting Windows systems).
- Capabilities: Discovery, lateral movement, privilege escalation, and security software disruption.
- First Seen: Varies based on individual tool age.
## MITRE ATT&CK Mapping (Examples based on capabilities mentioned)
* **TA0007 - Discovery**
* T1046 - Network Service Discovery (Network Scanners)
* **TA0004 - Privilege Escalation**
* T1068 - Exploitation for Privilege Escalation (Local Privilege Escalation Exploits)
* **TA0005 - Defense Evasion**
* T1562.001 - Impair Defenses: Disable or Modify Tools (AV Killers, Process Terminators, Targeted Uninstall Software)
* **TA0006 - Credential Access**
* T1003 - OS Credential Dumping (Mimikatz)
* **TA0008 - Lateral Movement**
* Implied by use of Network Scanners post-compromise.
## Functionality
### Core Capabilities
- **Network Scanning:** Identifying internal network resources.
- **Privilege Escalation:** Using known exploits (LPE exploits, vulnerable drivers) to gain higher system permissions.
- **Defense Evasion:** Killing processes, terminating AV services, or uninstalling security software.
- **Credential Access:** Dumping credentials from memory (e.g., via Mimikatz).
### Advanced Features
- Attackers sometimes use obfuscated or packed versions (e.g., VMProtect) of these off-the-shelf tools to evade detection.
## Indicators of Compromise
- File Hashes: [Not specified for the generic set of tools]
- File Names: Mimikatz, various network scanners, AV killers, process terminators.
- Registry Keys: [Not specified]
- Network Indicators: Traffic associated with network scanning activities.
- Behavioral Indicators: Execution of known post-exploitation tools; suspicious uninstallation activity targeting security products; use of vulnerable drivers.
## Associated Threat Actors
- Various financially motivated threat actors exhibiting low-effort TTPs.
## Detection Methods
- Behavioral monitoring for sequence anomalies (e.g., network scanning immediately following RDP login).
- Signature/heuristic detection for known tools like Mimikatz.
- Detection of known vulnerable drivers being loaded for privilege escalation.
## Mitigation Strategies
- Implement application whitelisting to prevent the execution of unapproved binary toolsets.
- Strong network segmentation to limit the effectiveness of internal network scanning.
- Patch systems rigorously, especially against exploits targeting local privilege escalation vulnerabilities.
- Protect security products against termination or uninstallation.
## Related Tools/Techniques
- Mimikatz, common network scanning tools (e.g., Nmap, internal scripts), known LPE exploits/vulnerable drivers.
***
# Tool/Technique: Initial Access via Remote Desktop Protocol (RDP)
## Overview
The initial compromise vector favored by these threat actors, involving leveraging publicly exposed and insecure Remote Desktop Protocol (RDP) services, typically achieved via brute-force or dictionary attacks against weak or reused credentials.
## Technical Details
- Type: Technique (Initial Access)
- Platform: Windows Systems hosting exposed RDP services.
- Capabilities: Gaining interactive remote access to victim systems.
- First Seen: Decades (RDP is a long-standing component of infrastructure).
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1133 - External Remote Services
* T1133.001 - Remote Desktop Protocol
## Functionality
### Core Capabilities
- Establishing unauthorized interactive command-line or GUI sessions on target machines using legitimate service protocols.
- Exploiting weak authentication practices (dictionary/brute force on local or domain accounts).
### Advanced Features
- Low complexity/low effort approach relying on pervasive system misconfigurations (exposed RDP ports).
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: High volume of failed login attempts on TCP port 3389 (RDP); successful connections from unexpected external IPs.
- Behavioral Indicators: Immediate staging of post-exploitation toolkits following RDP session initiation.
## Associated Threat Actors
- Broad spectrum of threat groups, including ransomware affiliates (like Makop) focused on RDP brute-forcing.
## Detection Methods
- Anomaly detection on RDP login volumes and geographic sources.
- Logging and alerting on multiple failed RDP login attempts for a single user or host.
- Network Intrusion Detection Systems (NIDS) flagging RDP brute-force patterns.
## Mitigation Strategies
- **Never** expose RDP directly to the internet.
- Use a VPN or bastion host for all remote administrative access.
- Enforce Multi-Factor Authentication (MFA) on all RDP connections.
- Implement strong password policies and account lockout thresholds.
## Related Tools/Techniques
- Brute-forcing tools (RDP-specific or general credential stuffers).
- Credential Dumping tools (used subsequently to escalate access beyond the initially compromised account).
***
# Tool/Technique: Makop Ransomware
## Overview
Makop is a strain of ransomware, categorized as a variant derived from the Phobos ransomware family. Its primary objective is file encryption following initial network compromise, often utilizing a sophisticated pre-encryption toolchain.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Implied)
- Capabilities: File encryption, derived from Phobos codebase; utilizes various off-the-shelf tools for staging.
- First Seen: Around 2020
## MITRE ATT&CK Mapping (General Ransomware Stages)
* **TA0011 - Collection** (If data exfiltration is included, though not explicitly detailed beyond local tool staging)
* **TA0040 - Impact**
* T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encryption of victim files.
- Execution follows a post-exploitation chain involving discovery, LPE, and defense evasion.
### Advanced Features
- Incorporation of advanced components like GuLoader for multi-stage payload delivery, indicating an evolutionary approach compared to simpler variants.
## Indicators of Compromise
- File Hashes: [Not specified for the final encryptor binary explicitly, though associated sample hashes are provided for GuLoader.]
- File Names: Common filenames observed: `bug_osn.exe`, `bug_hand.exe`, `1bugbug.exe`, `bugbug.exe`, `taskmgr.exe`, `mc_osn.exe`, `mc_hand.exe`, and variants prefixed with a dot.
- Dropped Locations: Network-mounted RDP shares (`\\tsclient\`), `Music` directory, `Downloads`, `Desktop`, `Documents`, or C:\ root, often within subfolders named "Bug" or "Exp.".
- Registry Keys: [Not specified]
- Network Indicators: [Not specified for the final C2/payment stage]
- Behavioral Indicators: File system manipulation consistent with rapid encryption; creation of readme/ransom notes.
## Associated Threat Actors
- Operators behind the Makop campaign (primarily targeting India, Brazil, Germany).
## Detection Methods
- Signature/heuristic detection for known Makop binary hashes.
- Detection rules targeting the specific filename patterns (e.g., `bug_osn.exe`).
- Detection of mass file renaming or modification events lacking administrative justification.
## Mitigation Strategies
- Comprehensive and tested backups.
- Immediate isolation upon detection of any post-exploitation activity (scanners, Mimikatz).
- Endpoint protection configured to block execution of known malware staging files in user profile directories.
## Related Tools/Techniques
- Phobos Ransomware (Parent family).
- GuLoader (Delivery mechanism).
- Mimikatz, LPE exploits (Supporting tools).