This is an automated archive.
The original was posted on /r/cybersecurity by /u/rvilladiego on 2023-08-28 03:25:37+00:00.
Lockbit Black code was leaked in September 2022. We have recently seen an increased number of ransomware variants based on the original Lockbit code and TTPs. However, one particular novelty of the most recent variants is including a 'camouflage' technique to maintain persistence.
The threat actor utilizes multiple commercial VPN services to occult their actions. As a result, the direct connections observed to the identified vulnerable paths can be attributed to the VPN infrastructure employed by the attacker. This deliberate use of VPNs helps mask their true identity and location, making it more challenging to trace their activities back to their original source.
By utilizing this configuration, the attacker gains the ability to execute commands on their own machine and subsequently propagate throughout the victim’s network enabling a transparent lateral movement. The attacker employs powerful tools such as Mimikatz and Cobalt Strike to assume control of the domain controller. They initiate the final encryption phase through the compromised DC by establishing cascading RDP connections.
Some IOCs identified as C&C of a variant named COPODE 1.0 are:
194.32.120.221
43.130.75.191
45.86.200.81
194.32.120.24
Stay vigilant!