Varonis recently helped a customer who observed a spike in CPU activity on a server in their environment, where a shallow review of the device revealed an in-progress compromise by an advanced threat actor we later attributed to RansomHub affiliates.
Over the next 48 hours, our team worked closely with the customer to investigate, hunt, contain, and remediate the threat before it could become ransomware.
Due to our team's advanced intervention capabilities, we secured the customer’s network with zero business downtime. Continue reading to see how the incident started.
Initial Access
The incident started when a user downloaded and subsequently executed a file that they were led to believe was a legitimate browser update. In this case, it was a malicious JavaScript payload.
Initial execution of the malicious payload from a user click
The download kicked off a chain of automated reconnaissance and initial command and control activity, including enumerating Active Directory users and computers, querying key local system information, hunting for credentials in memory, and various other discovery techniques.
Within minutes, second-stage malware was deployed as a recurring Scheduled Task for persistence. Following this, a legitimate Python distribution was downloaded to % LOCALAPPDATA%ConnectedDevicesPlatform, along with an encrypted Python script that served as a SOCKS proxy with attacker infrastructure, exposing the corporate network directly over the Internet.
Downloading a legitimate Python distribution to %LOCALAPPDATA%\ConnectedDevicesPlatform
Installing additional Python packages from the Python distribution located at %LOCALAPPDATA%\ConnectedDevicesPlatform
... continue reading