During an incident response engagement, Dell SecureWorks Counter Threat Unit™ (CTU) analysts observed lateral movement activities conducted by the adversary to establish a solid foothold within the compromised infrastructure.
A remote access trojan (RAT) was copied to and installed on multiple systems as a Windows service, and was then executed via a scheduled task. Each instance analyzed by CTU analysts was identical: the same cryptographic hash value and identical configuration information for the command and control (C2) server. To identify the full scope of the incident, CTU analysts investigated all associated threat indicators (file hashes, C2 server domain, IP address, etc.).
CTU analysts worked closely with the client’s IT staff to identify affected systems.
As part of this process, the IT staff logged into systems to ensure that infrastructure management software was installed and properly configured. Endpoint and network monitoring identified an additional compromised system immediately after an administrator logged in to perform management software maintenance. The host-based indicators were almost identical to the other compromises, but the network indicators (C2 server domain and IP address) were markedly different.
In the original set of compromises, the RAT installer file was copied to the root of the C:\ volume on the system and was then executed via a scheduled task. Multiple threat groups employ this lateral movement technique. In this sample, the installer file for the same RAT, but with a different C2 configuration, was copied to the target system so that the installer automatically executed when the administrator logged into the system. The administrator did not need to perform any specific action and was not aware that the file was executed. CTU analysts determined that this installer file had been dormant on the system for eight months.
Technical indicators from the first set of samples, including installer file hash and location, method of execution, C2 domain, and IP address, were useless in detecting this “sleeper” RAT until the installer file was executed. Even after execution, the previously identified C2 domain and IP address were not helpful because those indicators were different in this sample. CTU analysts have endpoint analysis technology that identifies previously infected systems and the dormant installer file, but the installer file was launched before the technology was applied. CTU analysts identified the infection immediately after employing the endpoint analysis technology.
Understanding threat actors’ techniques, tactics, and procedures (TTPs) allows CTU analysts to extend their response capabilities well beyond what is available through just the use of technical indicators.