Threat Actors’ Systems Can Also Be Exposed and Used by Other Threat Actors

Types of cyberattack include not only Advanced Persistent Threat (APT) attacks targeting a few specific companies or organizations but also scan attacks targeting multiple random servers connected to the Internet. This means that the infrastructures of threat actors can become the targets of cyberattack alongside companies, organizations, and personal users.

AhnLab SEcurity intelligence Center (ASEC) has confirmed a case in which a CoinMiner attacker’s proxy server became a target of a ransomware threat actor’s Remote Desktop Protocol (RDP) scan attack. The CoinMiner threat actor used a proxy server to access an infected botnet, and the port they opened to connect with the proxy server was exposed to another threat actor’s RDP scan attack. As a result, the RDP scan attack was launched against the CoinMiner’s botnet, infecting it with ransomware.  

Figure 1. Breach flowchart

1. CoinMiner Infection

In this case, the exact cause of the CoinMiner’s infection was not yet discovered. However, seeing from the relevant cases, it may have occurred through the following initial breach process. The CoinMiner threat actor launched scan attacks targeting MS-SQL server administrator (sa) accounts. After successfully logging in using an sa account, they then installed a backdoor into the victim system using MS-SQL’s xp_cmdshell procedure. The installed backdoor downloaded malicious files including the CoinMiner from the C2 server.

The backdoor was registered to Windows Management Instrumentation (WMI) and operated daily at 11:00 PM. The backdoor regularly received new backdoors from the C2 server, and the CoinMiner threat actor uploaded the modified backdoor onto the C2 server to send new commands.

2. Reverse RDP

The CoinMiner threat actor configured a reverse RDP environment using the Fast Reverse Proxy tool to access the Miner bot.

Fast Reverse Proxy is an open-source reverse proxy tool, and the normal version requires the user to import the information of the target server from the settings file or enter the information upon execution. The CoinMiner threat actor modified the Fast Reverse Proxy file’s code so that it automatically connects to the proxy server and uses it in their attack.

3. RDP Port Scan

The proxy server was exposed to the Internet. The ransomware threat actor checked all ports of the systems revealed on the Internet to see if they were using RDP and launched brute force attacks against all targets with exposed RDP ports as an administrator. In this case, the CoinMiner threat actor’s proxy server seemed to have been exposed by coincidence, making them a target of the scan attack that scans the RDP port.

4. Victim System Connected to Proxy Server

The CoinMiner threat actor’s modified Fast Reverse Proxy file was distributed by the C2 server and downloaded and executed by a backdoor. Multiple CoinMiner bots tried to connect to the same proxy server, and it appears that the CoinMiner threat actor could not select and communicate with specific systems among the Miner bots that attempted to establish a reverse RDP connection with the proxy server.

5. RDP Brute Force Attack Lands at Targeted System

The ransomware threat actor launched a RDP brute force attack on the TCP 30 port. The RDP brute force attack passed through the proxy server and landed at the targeted system connected with the proxy server at the time. Because the system’s administrator account was not equipped with the invalid login restriction and the ransomware threat actor had a good amount of time to carry out their task, the threat actor successfully logged into the system as a system administrator.

6. Ransomware Infection

After successfully logging in as an administrator, the ransomware threat actor utilized a network scanning and credential hijacker tool to distribute their ransomware to multiple systems. Afterward, the threat actor performed a lateral movement into the network the targeted network was in and distributed the ransomware.

7. Was the Attack Intentional?

Was the inclusion of the CoinMiner threat actor’s proxy server in the ransomware threat actor’s RDP scan attack intentional?

Hypothesis 1: Pure Accident

In this case, the CoinMiner threat actor created an administrator account in the affected system. However, the ransomware threat actor did not use that account and instead launched a scan attack against it. Given the situation, it is unlikely that the CoinMiner threat actor and the ransomware threat actor shared or traded information such as the information of the affected system or the account. The ransomware threat actor probably considered the CoinMiner threat actor’s proxy server as one of many scan attack targets that use TCP 30 port instead of TCP 3389 port as RDP. Seeing as it is unlikely that the ransomware threat actor knew about the CoinMiner threat actor’s proxy server and attacked it with intention, this case may be a ransomware infection that occurred by accident, and the ransomware threat actor may not have realized that they attacked a proxy server until the very end.

Hypothesis 2: Ransomware Threat Actor Knew

The ransomware threat actor may have realized that they were attacking a proxy server, and this possibility leads to the following hypothesis:

The ransomware threat actor’s scan attack reached certain CoinMiner bots connected to the proxy server. The ransomware threat actor may have succeeded in breaching the system affected by this attack, and other systems before and after this case.

If the CoinMiner threat actor disconnected from the proxy server after the ransomware threat actor successfully breached the system and switched the connection to a different CoinMiner bot, the ransomware threat actor would have lost control of the system, entered a different system with the same IP address, and found themselves in a situation where they had to repeat the brute force attack to take control of the new system.

The ransomware threat actor may have not noticed the anomaly at the initial breach but may have noticed the behavior of the system changing but maintaining the same IP address after repeatedly gaining control of systems and seeing them change.

The affected system was connected to the CoinMiner threat actor’s proxy server twice in several months. It is likely that various systems connected to the proxy server between those dates, and at the points of connection, a different threat actor logged into the affected system connected to the proxy server as a default administrator account.

This could mean that the CoinMiner threat actor’s proxy server was continuously exposed to scan attacks. If the ransomware threat actor realized that they were attacking a different threat actor’s infrastructure and successfully launched attacks on the system exposed to a scan attack for a prolonged time, there is a possibility that the ransomware threat actor intentionally exploited the proxy server.

There are many systems with exposed RDP ports on the Internet, but that does not mean that the security of all those systems is compromised. However, it is probable that the systems already breached by threat actors are likely to have vulnerable security issues. For threat actors, one of the ways to increase the efficiency and success rate of their attacks is to attack the systems that are comparatively more vulnerable.

Conclusion

This case is different from other attack cases.

It is known that threat actors trade account credentials, malicious files, leaked information, botnet infrastructure, and threat services in the dark web and black markets. However, it is extremely rare that a threat actor’s infrastructure, instead of being the subject of a direct trade, becomes a target of another threat actor’s attack.

From the analytical perspective, an attack that utilizes another threat actor’s infrastructure is observed along with the behavior of diverse threat actors, adding layers of challenge to distinguishing the behavior and intention of each threat actor involved. Furthermore, threat actors may utilize infrastructures and affected systems of other threat actors to launch more efficient attacks.

If the cases of similar attacks in which a threat actor uses other threat actors’ infrastructures accumulate, more and more threat actors may purposefully breach into other threat actors’ infrastructure and use them to launch different kinds of attacks.

[File Detection]

  • CoinMiner/Win.XMRig.C5449500(2023.07.05.00)
  • Downloader/FOMB.Agent(2024.02.27.00)
  • Downloader/Win64.Agent.C2426880(2018.03.29.04)
  • HackTool/Win.Agent(2024.03.15.00)
  • HackTool/Win.Frpc.C5473755(2023.08.20.03)
  • HackTool/Win.PassViewer.C5353351(2023.01.09.03)
  • HackTool/Win.PassViewer.C5353353(2023.04.26.02)
  • HackTool/Win.PstPass.C5135577(2022.08.31.02)
  • HackTool/Win.PSWTool.R345815(2023.06.02.01)
  • HackTool/Win32.Mailpassview.R165244(2016.07.12.09)
  • Ransomware/Win.Phobos.R363595(2023.08.28.04)
  • Trojan/BAT.RUNNER.SC198137(2024.03.15.00)
  • Trojan/BAT.RUNNER.SC198138(2024.03.15.00)
  • Trojan/BAT.Runner.SC198226(2024.03.18.02)
  • Trojan/RL.Mimikatz.R248084(2018.12.10.01)
  • Trojan/Win.Lazardoor.R496534(2022.05.14.01)
  • Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
  • Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
  • Trojan/Win32.Infostealer.C1259157(2020.07.17.00)
  • Trojan/Win32.Miner.C2462674(2018.04.13.09)
  • Trojan/Win32.Neshta.X2117(2018.03.16.06)
  • Unwanted/Win.PassView.C5359535(2023.01.16.03)
  • Unwanted/Win32.HackTool.C613821(2014.11.02.03)
  • Unwanted/Win32.Masscan.C3122810(2019.12.06.00)
  • Unwanted/Win32.Passview.C568442(2014.09.23.00)
  • Unwanted/Win32.PassView.R333746(2020.04.22.08)

[IOCs]

MD5s

  • D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
  • 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
  • E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
  • 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
  • 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
  • 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
  • D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
  • 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
  • 0753CAB27F143E009012053208B7F63E(netpass64.exe)
  • 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
  • 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
  • 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
  • AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
  • 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
  • 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
  • 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
  • 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
  • 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
  • 057D5C5E6B3F3D366E72195B0954283B(check.exe)
  • 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
  • 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
  • DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
  • 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
  • 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
  • E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
  • DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
  • 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)

URLs & C2s

  • 223.223.188[.]19
  • 185.141.26[.]116/stats.php
  • 185.141.26[.]116/hotfixl.ico
  • 185.141.26[.]116/winupdate.css
  • 84.46.22[.]158:7000
  • 46.59.214[.]14:7000
  • 46.59.210[.]69:7000
  • 47.99.155[.]111
  • d.mymst[.]top
  • m.mymst[.]top
  • frp.mymst007[.]top

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Threat Actors’ Systems Can Also Be Exposed and Used by Other Threat Actors appeared first on ASEC BLOG.

Article Link: Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors - ASEC BLOG