Description:

Since August 2023, eSentire researchers observed cases of infection against the financial and manufacturing sectors involving the DarkGate malware. These activities, which were facilitated through Drive-by Downloads, began with the delivery of a Loader, disguised as fake installers and document reports, that led to the execution of an AutoIt script.

DarkGate is a commodity Loader written in Borland Delphi that was first identified in 2018 and has been advertised under the Malware-as-a-Service (MaaS) business model on popular cybercrime forums since June 2023. It has a wide range of capabilities, including environment reconnaissance, information collection, privilege escalation, and remote access software deployment.

In the final stages, DarkGate was observed deploying DanaBot, a Malware-as-a-Service (MaaS) focused on credential theft and banking fraud, which is executed via Process Hollowing or Process Injection.

This assessment template begins with the download and saving of a ZIP file that contains a malicious Visual Basic Script (VBS) which is used to retrieve a Microsoft Installer (MSI) from one of the attacker-controlled servers. The MSI file will be then executed using the msiexec.exe utility.

Then an AutoIT script is downloaded which adds the directory used to the Windows Defender exclusions list to avoid detection and achieves persistence through the startup folder. Next, DarkGate performs the reconnaissance tasks regarding the compromised environment and continues with the deployment of the DanaBot stealer, which is executed via Process Hollowing or Process Injection.

Configuration Notes: 
This Attack Graph is designed to run with Administrator permissions.

Additional Details:

https://www.esentire.com/blog/from-darkgate-to-danabot

Scenarios included in this Package:

• Download 2023-09 DarkGate ZIP Sample to Memory
• System Binary Proxy Execution using "msiexec.exe" Script
• Process Discovery Through Tasklist
• Exfiltrate Text File Containing Windows System Profiling Data via HTTP to Test Server
• Add Directory to Microsoft Defender Exclusion List using PowerShell
• Query "CurrentVersion" (HKCU) Registry Key using "reg query"
• Get User Default Locale Name via "GetUserDefaultLocaleName" Native API
• Code Injection via Load Library and Create Remote Thread
• Get User Default Locale ID via "GetUserDefaultLCID" Native API
• System Information Discovery Script
• Download 2023-10 DarkGate MSI Sample to Memory
• Parent PID Spoofing
• Persistence Through Startup Folder
• System Network Configuration Discovery
• Download 2023-09 DarkGate AU3 Sample to Memory
• Drive Type Discovery via "GetDriveTypeA" Native API
• Collect Browser Data via Esentutl using Powershell Script
• Save 2023-08 DarkGate VBS Sample to File System
• Save 2023-09 DarkGate ZIP Sample to File System
• Process Hollowing
• File and Directory Discovery Script
• Security Software Discovery Script
• Save 2023-10 DarkGate MSI Sample to File System
• Computer Name Discovery via "GetComputerNameA" Native API
• Save 2023-09 DanaBot Sample to File System
• Save 2023-09 DarkGate AU3 Sample to File System
• Discover Processor Name via Registry

Description:

On December 13, 2023, the U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) released a Cybersecurity Advisory (CSA) assessing that Russian Foreign Intelligence Service (SVR) cyber actors, also known as APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, were observed exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023. The SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments. This emulation begins by downloading and saving GraphicalProton, a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs to exchange data with its operator, and continues by saving a legitimate application, which is then abused to execute the backdoor via DLL Side-Loading. Once the execution is successful, the attacker will seek to achieve persistence by creating a scheduled task. After this, the adversary will conduct local and network reconnaissance of the compromised system to collect information pertaining to the compromised environment and to identify systems on the network available for lateral movement. Next, the adversary will seek to collect available credentials on the system through multiple actions, ending with lateral movement to external systems via Windows Management Instrumentation (WMI). In the last stage, the attacker will download and save a modified version of the tunneler called Rsockstun, used to establish a tunnel to the C2 infrastructure, which will be executed via WMI. Finally, the adversary will bundle all the collected data into a file, to which benign data will be added via binary padding prior to exfiltration.

Configuration Notes:
This Attack Graph is designed to run with Administrator permissions.

Additional Details: • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Scenarios included in this Package:

• Enable Restricted Admin Mode via Registry
• Process Discovery Through Tasklist
• Download 2023-10 GraphicalProton HTTP Sample to Memory
• Binary Padding (appended 101 MB) Script
• Dump SAM Registry Hive via "reg save" Command
• Download 2023-12 GraphicalProton HTTPS Sample to Memory
• Save 2023-12 Backdoored vcperf Sample to File System
• Persistence Through Scheduled Task
• System Network Connections Discovery
• Dump Windows Passwords with Obfuscated Mimikatz
• System Owner Group Discovery
• Enable LM Hash Mode via Registry
• System Owner/User Discovery Script
• Dump SYSTEM Registry Hive via "reg save" Command
• DLL Side-Loading
• Dump SECURITY Registry Hive via "reg save" Command
• Discover Drivers via “Get-WindowsDriver” PowerShell Command
• Use Registry to Disable Security Features: Disable Local Security Authority (LSA) Protection
• Create Process Through WMI
• Save 2023-12 Modified rsockstun Sample to File System
• Kerberoasting using Rubeus
• Download 2023-12 Modified rsockstun Sample to Memory
• Enumerate Domain Controllers using Nltest
• Discover Windows Services via "Get-WMIObject Win32_Service" PowerShell Command
• Process Discovery Through WMI
• Save 2023-12 GraphicalProton HTTPS Sample to File System
• Get Domain Controller Information through Windows Command Line
• Save 2023-10 GraphicalProton HTTP Sample to File System
• Data Staged Script

Description:

The AttackIQ "NIST- CSF Fundamentals" Basic Package is designed to align with the NIST Cybersecurity Framework (CSF) 2.0. The NIST CSF Basic Package is designed to provide a starting point for organizations assessing their security capabilities within the “Protect” category of NIST CSF. Protect is organized by Functions, Categories, and Subcategories. This focused approach enables clients to manage cybersecurity risks more effectively by strengthening the core protections that safeguard their assets and data.

Scenarios included in this Package:

• Test Web access to Anonymizer site www.proxyway.com
• Use Free Web-based Proxy Services
• Save TXT EICAR file to File System
• Save Zip EICAR file to File System
• Save EICAR file to File System
• Download TXT EICAR file to Memory
• Download Zip EICAR file to Memory
• Download EICAR file to Memory
• Exfiltrate Files over DNS A Record
• Dump Windows Passwords with Original Mimikatz
• Dump Passwords using LaZagne
• Dump Windows Passwords with Obfuscated Mimikatz