Big Game Hunting From A Forensic Point Of View

Oleg Skulkin: Hello everyone. Welcome to Magnet Virtual Summit. My name is Oleg Skulkin. I am a Senior Digital Forensic Analyst at Group-IB. And today we are going to talk about big game hunting again, this time from a forensic point of view. Of course, I think many of you are aware of what is big game hunting. These are semi targeted ransomware attacks, which were quite popular in 2020, and they are still very popular among a lot of financially motivated threat actors. But unfortunately we don’t see a lot of contents that have forensics in mind, because there are a lot of threat intelligence, there are a lot of various threat-hunting tips, but not forensic tips. So I decided to present a bit on this topic. So we’ll discuss two different cases today. And I’ll show you how you can use your forensic capabilities, and of course Magnet AXIOM, to fulfil your investigations. Okay. I think we can start. 

So, I’m Oleg. I’m doing DFIR for almost a decade now. Recently my main focus is on incident response, but still from time to time, I do various forensic cases as well. I’m a big threat intel enthusiast, and if you are doing instant response, it’s very important because you should know a lot about various threat vectors, and it helps a lot to job really fast and efficient. So if you had to do the incident response, made sure you have good threat intel provider or good threat intel team, or at least read all of these amazing open source blog posts and reports that are available. 

Also, I love sharing knowledge. Maybe you saw some posts, also I have some books like the Windows Forensics Cookbook, Mobile Forensics, and some others. And of course, as part of my day-to-day job, I participate in creating our threat intelligence [indecipherable] as well. Talking about certifications, I have a few: GCTI, GCFA,, and of course I’m a proud holder of Magnet’s Forensic Examiners Certification. 

Okay. Let’s start from some statistics. Talking about big game hunting and human-operated ransomware attacks, in 2020, an average ransomware demand increased to almost twice. And an average demand was $170,000. But also, [indecipberable] usually spend quite a lot of time and effort. Of course, the attack itself may be conducted in just a few hours, in a Friday night or Saturday night, but the timeframe when an organization is compromised, for example, a public facing server is compromised, or for example, some VPN appliances compromised, or some of the host in the environment infected by this or that bot, like [indecipherable] and others, which are very popular among various ransomware. It took some time for threat actors to make their final goal. So an average time from initial compromise to impact is 13 days, according to our statistics, of course.

And unfortunately, many companies are not ready for such attacks. And even if they pay for attacks to get decreased, they still have quite a long downtime. So again, according to our statistics, this is 18 days. And talking about the parameters of attack compromise, there are quite a few of them, but three most popular, there are of course external remote services, and among them, the most common vector was RDD brute force attacks. Unfortunately, due to pandemics, many companies had to use such service to do the transfer there in place to… for remote work as fast as possible and nobody to care about security. So unfortunately they still have these initial access back to number one. And some companies use very big VPN, and threat actors in some cases use brute force attacks, again against the bans or some vulnerabilities alliances.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


So remote — external remote — services was, and still is, number one initial access vector. Then as I already mentioned, quite a lot of various bots were used to gain initial access. So recently we saw ice stadi used to buy our email affiliates to gain initial access. In the past, we saw a lot of them, like [indecipherable] used to distribute programs somewhere. And in some cases, [indecipherable], then others like Qbot was used, for example, by [indecipherable] and software great. 

So efficient attacks are still very efficient, and many ransomware operators use them to gain initial access to target networks. I think you heard about various vulnerabilities that were used, for example, POS secure VPN was extremely popular vulnerability from 2019, but it was used even in 2020 to gain initial access, some even compromised firewalls to gain initial access. So this vector was also very popular. 

And we have some others, just 2% according to our statistics, but still quite interesting. For example, things, seven group who first worked with [indecipherable] and then started their own ransomware-as-a-service program, dark side, they used to infect their victims [indecipherable] backdoor. 

Another interesting example is when ransomware creators use [indecipherable] relationships, so they can compromise an IT provider and then use its capabilities to get into its clients’ networks and then move laterally and distribute ransomware enterprise-wide.

So, we are also releasing various materials, like costs and reports on verious ransomware protectors. So we released one for 2020 and the first part of 2021. And in this report, we use Mitrotech to map various tactics, techniques, and procedures used by various threat actors and created this heat map. So those are red, these are most popular, those are yellow, these are less popular, but still used by some operators. 

If you want to learn more about this heat map and learn more about ransomware attacks in general, you can use the QR code on this slide so you can download the report. It’s absolutely free and it may really help your investigation because it was created with forensics in mind, as well as intelligence and threat hunting.

So, let’s move to our case studies. I’ll present two of them. So the first one is Avaddon. It’s a kinda new ransomware as a service program. This threat vectors are not very sophisticated, but still in some cases they demanded quite big sums and compromised quite big companies.

So let’s start from an overview of this ransomware strain and ransomware as a service problem. So this this program launched in June 2020. So as I mentioned, it’s kind of new, but not very, of course. Just like many other threat actors involved in big game hunting and in human operated ransomware attacks, this group has its own DLS or data leaks site. So it doesn’t mean that the group extracts data during all the intrusions, but if you are investigating an attack where affiliate programs are involved, then you should search for artifacts of data exfiltration because some of their affiliates, they extract data. And then if the victim doesn’t want to pay the ransom, they post the data on the data leak site. 

So they use not only the big game hunting approach or integrated approach. Then this ransomware as a service program started, they also use [indecipherable] campaigns to distribute it, and they just wanted to infect, not a full domain, but just one host and to ask, not for big ransom, but just something around three hundred dollars, for example. 

And some bad feelings are used in those attacks, again, they’re weakened. So if the victim don’t want to pay ransom, then first they threatened them that they release database [indecipherable] on their database sites. If it doesn’t work, then they perform a DDoS attack against such victim. So this technique was originally used by another group called some Sancrypt, but then many other ransomware creators, including some notorious, like RPO used this technique as well. And as for Avaddon, as already mentioned, this group isn’t very sophisticated and as initial access technique, they usually use the RDP compromise. So they just buy RDP access to some compromised environments or perform a brute force attack to gain initial access. Of course, it’s not the only initial point of access, but still it’s a very popular among their affiliates.

So let’s look at some of [indecipherable]. And so of course, let’s start from initial access. As I already mentioned, it’s a remote desktop protocol. So we can focus on Windows event logs, and especially for the 6 24 from security. And if you’re using Magnet AXIOM, you may notice that it has a tab called remote desktop protocol. So it collects everything that’s related to remote desktop connections automatically. So it’s usually quite easy. 

You can just click [indecipherable], especially external IP addresses. And in this case, there was a successful connection from a Russian IP address. And again, this company wasn’t in Russia, and the company didn’t have any place from Russia. So it was quite suspicious. And in fact, it was really the case that the connection was not in [indecipherable]. 

Another interesting fact was that two weeks before this connection, there are other connections also not legit, performed, potentially, by other threat actors. So it looks like in this case of ransomware, I feel it’s just to access from our threat actors and it used to validate accounts to successfully connect to the victim environment. 

So again, of course the [indecipherable] security isn’t the only artifact you can use, but usually in remote desktop protocol tab, you can find various sources of this artifact. So just focus on any artifacts that are related from external RDP connections and look for suspicious connections, like not typical IP addresses, and things like that. 

Okay, let’s go through all of them. So once threat actors gained access to a compromised environment, to a public facing server, they used an advanced scanner to scan the network and understand are there any other hosts in the network so they can use them in their operations. Ransomware operators in general, especially those who use the brute force or who use some weak external remote services, they don’t use usually a lot of exploitation tools and a lot of hacking tools. They usually prefer to be not noisy. So in this case, they already had administrator account, and what’s more, this administrator account could be used to connect to other computers in the network. So they didn’t need to use a service such tools like Mimikatz, or for example, [indecipherable] to extract financials from memory, et cetera. 

So they already have generated credentials and all they need was just scan the network, understand where they are. And so they can move laterally and start ransomware distribution. Again, as already been mentioned, they are not very sophisticated, so they use just the same RDP protocol to move laterally, we’ll look at it a bit later. 

And here you can see that we extracted information about our advanced port sanner from Mcache. This artifact is interesting because it also have SHA-1 hash as part of data we can extract from it. So even if threat actors used not something like advanced scanner 253869, by something like 123.exe, we still can get the hash and we can use some services like wireless [indecipherable], or even just Google it, and understand that the tool that was run was, [indecipherable]. 

Why it’s important? Because in some cases ransomware is configured to the way that if it’s run successfully, it will include all the files except for some folders. So if they drop this tool in Downloads, in Documents for example, even if it has the extension, it still will be encrypted. So you can’t understand… if you don’t have decryptor you can’t understand what was it. So it’s very important to extract data from such artifacts so you can understand what exactly was the tool set used by attacks. Okay, let’s move forward.

It’s the same tab I mentioned before. It’s [indecipherable], but it’s a bit different now, because now we are interested in outgoing connections. As I said, these groups are usually used not only for initial access, but also to move laterally through the network. So they just scan the network. And they already have accounts [indecipherable] to other hosts in the domain. And so they just use RDP, connect to other hosts, and run manually, because of course they copy, run the ransomware and then they just double click it. So quite simple, but still we saw quite a lot of such cases, even if they’re simple, they still need to be investigated.

And again here we extracted some information from Windows event logs, and this is a part of ransomware execution process. In Avaddon, the persistence execution method is quite interesting. For example, my [indecipherable] has samples like fountain and others. They usually use runkey to become in the system. And for example, if you attempt to insert some flash drives with some files and try to copy them somewhere to do the incident response activity to solve and system administrators want to stop it, to want to do something, but then all these files are encrypted as well. 

It’s a bit different, but instead they use a task scheduler to create a scheduled task that will run a piece of ransomware. There are various ways to collect and analyse information about created tasks. For example, you can just analyze files in the system [indecipherable] tasks, or you can just, if it’s available, of course, extract such information from Windows event logs. 

So as you can see, this incident is quite simple. Threat actors just got inital access via RDP, then they scanned the network, understood that there are some other hosts available, and they use the same RDP protocol to laterally copy a piece of ransomware to the target hosts, and finally execute it.

Let’s move on and look at our second case study. This time, this Ryuk/Conti creators. If you read something about these groups you may know that it’s called [indecipherable] spider, and these the same group that’s operating [indecipherable]… they used Ryuk for quite a long time. So back in 2018 they started to use [inaudible] to distribute dreambot. Then they perform post explantation by a [indecipherable] strike or PowerShell [indecipherable]. And finally then, a network is penetrated, then they deployed ransomware. But in 2020 they introduced another piece of ransomware, it’s called Conti, it’s a bit different from Ryuk, because unlike Ryuk, it has its own data leak site but still more ransomware families are operated by one group. 

Okay. Let’s look at Ryuk a bit. So this ransomware family emerged in August 2018. As I already mentioned, it was distributed to via Trickbot infections. Then Ryuk operators doesn’t have a DLS, but they still can exfiltrate some data. They don’t post it anywhere, but still they can use it as a double extortion technique. 

When you knew their focus on the big game hunting, unlike Avaddon which was distributed via [indecipherable] and Conti operators, they just focus on big companies, so they just want to get as much as possible. Ryuk has been associated with Trickbot for a long time. But nowadays there are more bots involved, for example, [indecipherable] and of course [indecipherable]. And the most common initial access technique for this group is phishing. Again, instruct the Trickbot and other bots and use these infections to get into their victim environments.

So as already been mentioned, this ransomware apparatus used phishing, so if you are dealing with Ryuk or Conti, it’s a good idea to attempt to find any suspicious documents that were opened by the victim, especially if you already noticed that there are some activities associated Mazda or Trickbot. 

So here we have an evidence extracted from jumplist. It’s a file called subscriptions 1616161705. And if you’re following modern malware trends, you may notice that it looks like a document from a recent Bazaar call campaigns. This campaigns is quite important and quite interesting because it is not only phishing, but also because you will receive an email with paid subscription. And if you want to cancel it, you need to call a number in the email. And if you call you’ll be provided with instructions, how to visit efficient sites, how to download a weaponized Excel spreadsheet like this, and how to open it and even enable contents. So quite interesting attack vector. So this documents is one of such malicious documents, and we can see that it was opened by the user.

Now that it is opened, we can go to file system tab and look at file system timeline. So we can see that there is [indecipherable] file. Another piece of evidence pointing to the fact that this opened. And then we have some quite suspicious files that were created after Microsoft Excel was executed. 

So, yeah, it’s not on the slides, but there are even log files. After this, for example, prefetch files were created for [indecipherable] and run [indecipherable] too. This is very common and very suspicious. So let’s go forward and look what happened. 

So our two suspicious files, so first was 1171.D0 and the second 1171.0. So in fact it was just an executable file and it was used to decode this file. And actually this is a loader. So you can see the MZ signature, and if you’re at least a bit familiar with malware analysis you may notice that it looks like an executable file.

Okay. As I already mentioned, also, if your prefetch files versus file created, and for example we can look at run Rundll32. If you ever analyzed prefetch files — and I’m sure that you did — then prefetch files are interesting because they are not only a source of evidence for execution and they contain a number of executions. And if other can involve, for example, Windows 10, even timestamps for last eight executions, but also they contain information about related folders and files. And so here we can see that Rundll32 is related to our suspicious file, 1171.0, that, by the way, is located on the CU disk public, that is also quite a suspicious sign. And that means that Rundll32 was used to execute this file. So again, we know that it was an executable. So, and Rundll32 was used for proxy execution to bypass some defenses.

So again, if we look further, we can see you that after Rundll32 execution — and we already know that it’s most used to execute our suspicious file that was dropped by Microsoft Excel —  there are other files created — here we can see that the file is named KLJ.exe. And again, it’s located in a very suspicious folder, that is program data. So most likely this file is also quite suspicious or even malicious. 

So in this case, we extracted evidence of execution from Shim cache. as you can see, there is executed flag which is true, that means that it was executed as well. Okay. Let’s try to determine what is this file? But before, let’s look at some interesting execution techniques. So here we can see that background intelligence [indecipherable] was abused. And again, we can use Windows event logs that are collected by Magnet AXIOM. And for example, we already know the name of the file, so we can use [indecipherable] search to understand what artifacts sources we can analyze, to understand what happens. So here we can see that we also see this file name in the ground intelligence service log. And so this is a quite interesting way that was used by malware developers to execute this file again in order to bypass defenses. And [inaudible].

So in some cases we can extract very interesting information from web browsers. It’s not only just websites that were visited by the user, but some even IP addresses, that’s maybe related to some malware. 

For example here, we have an IP address or even a URL extracted from Microsoft Edge, and if you check this IP address, we can see that this IP address is associated with various  suspicious domains. So here we can see that this is Bazar back door. So malware family that is associated with a resource finder and with Rukh and Conti ransomware. So we can see that we are on the right way, and let’s continue our journey.

So again, of course it’s not the only thing that threat actors do. Of course they infect various companies with their bots, like Bazar, but then they need to perform some exploit, because they don’t want just infect and then treat one host, then that they want to compromise and encrypt the whole network. So here are some other interesting artifacts. For example, here we have evidence of execution of ADFIND.exe of this active directory [indecipherable] tool. Also, we began to use Edge files here, and so we can see that it was executed from C:\Users\Public, the same folder where we saw some suspicious files and then the dropped up to execution of malicious document. And also here, we see a few TXT files that were created as a result of a defined execution.

So again, we can see that threat actors started some post exploitation activities. Again, it may be a good time to start containing the incident, or just to check if there any evidence of lateral movement, et cetera. Of course, [indecipherable] not just the old school threat actors use various tools they use, for example, Bloodhound as well, to understand how to get privileged credentials the fastest way. And of course they used various post exploitation framework, like Cobalt Strikem Metasploit, and so on. 

So, next. Again, many threat actors want to execute various script [indecipherable] on some remote hosts because they need to, for example, to execute strike [indecipherable] or some remote,just enable for example, RDP on the [indecipherable], because it is very popular. It’s very convenient way to move laterally from one host to another host and to check what’s happening. Are there any security controls on the host, et cetera. 

So one of your best friends to detect such activity, especially if PS exec is used, and this is extremely popular tool, we see it almost on every engagements that’s involved in ransomware [inaudible] some scripts on multiple hosts, or they can even use it to ransomware enterprise wide. 

So event ID from system [indecipherable]. It’s an event that shows us that a service was installed in the system. And all the executions related to… have this event. So even if threat actors don’t use PS exec itself and they use, for example explanation frameworks, like Cobalt Strike, they still have the same set of frameworks. So they execute for example, Cobalt Strike beacon stage on remote host and use a model called the same, PS exec, or if they use PowerShell, psh, there will still be an event for the [indecipherable] because they will have to create the service on remote host. 

Of course, it’s not the only way to execute files or commands remotely. Threat actors might use [indecipherable] for example, or being around, but still PS exec is one of the most common and the most popular to that is used by various ransomware operates. So make sure you always check such events for any signs of suspicious activity.

So as already been mentioned, Ryuk doesn’t have any DLS or data lake sites, but contact operators have a dedicated data link site. And of course, they use various tools and various approaches to exfiltrate data from compromised networks. So here you have that, there is an executable called C.exe, was dropped and executed from [indecipherable] folder. And again, this time they don’t know the name based on the file naming, but still they can extract information from MCache, just like in the case of Avaddon. 

And using the hash, we can understand that this was our [indecipherable] executable. And also MCache contains not only [indecipherable] hashes, but also product names. So as you can see on the slide, we have product name that is our clone. So they don’t need to give the hash to understand what it is. Of course it can be forged, but anyway. You have even two sources, so you can double check. 

And of course this is quite popular. Not all Ryuk or Conti operators use Rclone — [indecipherable] and some others use that as well. In some cases, they just use some cloud storages. Some threat actors even install a media application on the target [indecipherable] and use it to efficiently extract data directly from the [indecipherable]. But in this case, you can see that our [indecipherable] was used to extract data.

And one more interesting thing about the attack and about sources. This is again related to remote desktop protocol, but it’s a bit, of course, as you can see on this slide, it’s merged not perfectly, but at the same time it merged automatically. And in this case, they are very interested in understanding what commands were executed on remote hosts by the threat actors. And not every environment have [indecipherable] capabilities. So it may be hard to impossible to understand what exactly threat actors did. 

And the most interesting thing here we can see is that threat actors used [indecipherable] to extract [indecipherable] and some registry files, so they can exchange data and use it to extract credentials, extract various privileged credentials from the files. So as you can see, when threat actors us heavily use legit tools, like [indecipherable] protocol — and they really use it very often — you can find some very interesting artifacts in not so common places. 

So again, if you want to learn more about ransomware, make sure you’ve checked our report on various ransomware operators, techniques and procedures based on MITRE attack, it’s still available for free, and you can use the QR code on the slide to download it. 

Thanks a lot for spending your time with me. It was a great pleasure to speak at Magnet Virtual Summit. I hope you have some questions and I’m more than ready to answer all of them. Thank you.

Leave a Comment