OpenText™ Managed Extended Detection and Response (MxDR) delivers cyber resilience using threat hunting for adversary behavior. In the ever-evolving cybersecurity landscape, staying ahead of the growing number of threats is a continuous challenge. OpenText recently shared how it uses MITRE ATT&CK framework for its threat detection and threat hunting in Understanding MITRE ATT&CK and Tidal Cyber Vendor Registry.
The hunt begins
Paul, an astute Threat Hunter with OpenText’s SOC Team, was combing through logs in a customer environment when he stumbled upon a strange command line. It was using a ‘Living off the Land’ technique using Windows executable called Rundll32.exe, but this command line looked unusual compared to the others he was reviewing. The target of the command did not appear to be a DLL file. Diving deeper, Paul noticed the process was attempting a single outbound connection once per day to an IP address of a hosting network. The peculiar activity involved SYN flags being sent repeatedly to this IP over port 443, but nothing more. To Paul, this wasn’t just random noise; it was a subtle cry for attention, a digital “ping” that resembled classic beaconing activity.
In the world of cybersecurity, beaconing often hints at trouble. It’s like a compromised machine whispering to its command-and-control (C2) server, “I’m alive! What’s next?” Paul immediately flagged the activity for deeper investigation and raised it with the end customer.
A shadowy connection
Digging into the IP, Paul unearthed some unsettling history. Seven months ago, the IP was linked to the notorious Bianlian ransomware group, known for their stealthy operations and devastating attacks. However, recent threat intelligence reports suggested the IP was ‘clean’ and had no suspicious activity. Could this be a remnant of their infrastructure, or had the IP been repurposed?
A quick query on Shodan revealed the current state of the server: it was still exposed to the internet, with ports 22 (SSH) and 3389 (RDP) wide open—common ports for remote access.
Unveiling the intrusion
Tracing back the breadcrumbs, Paul zeroed in on two Indicators of Compromise (IOCs):
- The IP of the suspected C2 server.
- A suspicious file that was included in the unusual command line (REDACTED.log).
Both artifacts pointed to the first sign of malicious activity in the last few days. From the logs, Paul and his colleague Sourabh, another meticulous OpenText Threat Hunter, reconstructed a process tree that told a chilling story:
svchost.exehad spawned an instance ofwscript.exewith the command:C:WindowsSystem32WScript.exe "C:windowssystem32REDACTED.vbs"- The same
wscript.exethen launchedrundll32.exe, with a command pointing to the suspicious file found in the command line; REDACTED.log.
There was no clear parent process for svchost.exe, but Sourabh discovered a scheduled task running at the same time:
- Name:
REDACTED - Path: MicrosoftWindowsWininet
REDACTED - Action:
C:Windowssystem32REDACTED.vbs
This task name had been chosen to blend in and had likely been planted by the attacker to ensure persistence. With this new finding, Paul added more IOCs to the list, all related to the Scheduled Task.
Malware analysis
Paul’s next step was to analyze the contents of the file from the original command line (REDACTED.log) and the REDACTED.vbs script. Although REDACTED.log had not been found in public malware repositories, dynamic analysis revealed it was actually a malicious DLL file, as suspected. The VBScript was used to execute a function in the malicious DLL, sending parameters such as the C2 IP address. It was designed to trigger beaconing behavior via scheduled tasks, signaling to the attackers that the compromised machine was ready for further instructions.
Swift containment
Armed with the evidence, and confirming the IOCs were not being seen across other hosts in the environment, Paul and the team took immediate action to contain the threat:
- The
REDACTED.log file was deleted. - The malicious scheduled task was removed.
- The
REDACTED.vbs script was eradicated from the system.
With the IOCs neutralized, the compromised machine was contained, and the deeper investigation and the threat hunting continued.
Conclusion
The BianLian ransomware group, likely based in Russia, has been active since June 2022, targeting various critical infrastructure sectors in the U.S. and Australia. Initially employing a double-extortion model, BianLian would encrypt victims’ systems after exfiltrating data. However, since January 2024, they have shifted to primarily exfiltration-based extortion, threatening to release stolen data if ransoms are not paid. The group typically gains access through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting for discovery and credential harvesting. They exfiltrate data using methods such as File Transfer Protocol (FTP), Rclone, or Mega.
This incident served as a stark reminder of how even infrastructure reported clean by many online services, like an IP associated with a ransomware group many months ago, can remain a threat. Our OpenText SOC Team’s vigilance and methodical approach not only thwarted potential harm but also provided valuable insights into the evolving tactics of cyber adversaries.
The battle in cybersecurity is ongoing, but with dedicated skilled threat hunters in our OpenText MxDR Team, the defenders continue to hold the line.
The post Unmasking the enemy! appeared first on OpenText Blogs.
