BlackByte

Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.

"...encoded commands in base64-encoded sections concatenated together in PowerShell." / "...decoded via PowerShell." / "...deobfuscated encoded PowerShell commands..."

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

"Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2"; "inject shellcode into svchost.exe"; "inject a Cobalt Strike beacon into Rundll32.exe"; "VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread"

BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

BlackByte Ransomware Registry Changes - CMD ... 1. Elevate Local Privilege by disabling UAC Remote Restrictions

"...compiled code is obfuscated... prior to delivery..." / "...Base64 obfuscated scripts and commands." / "...distributed as an obfuscated JavaScript launcher file."

During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.

Kapeka masquerades as a Microsoft Word Add-In file, with the extension .wll, but is a malicious DLL file.

"Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2"; "inject shellcode into svchost.exe"; "inject a Cobalt Strike beacon into Rundll32.exe"; "VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread"

"vba_macro.exe deletes itself..."; "AcidPour includes a self-delete function where the malware deletes itself from disk after execution"; "APT29 has used SDelete to remove artifacts"; "Operation Wocao... overwriting a file... and then deleting the overwritten file"

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.

Multiple malware families (e.g., Avaddon, Bazar, Clop, Ryuk, REvil, LockBit, Zeus Panda) check OS language/keyboard layout/locale and terminate or alter execution if the system matches excluded languages (commonly Russian/CIS) or does not match desired target languages (e.g., Spanish/Portuguese, Arabic, Persian).

“SolarWinds Compromise… APT29 used HTTP for C2 and data exfiltration.” “BeaverTail… HTTP POST to exfiltrate data to C2 infrastructure.” “StealBit can use HTTP to exfiltrate files…” “ThiefQuest uploads files via unencrypted HTTP.”

По информации аналитиков, сервис активно использовался операторами шифровальщиков... а также с атаками вымогателей Rhysida, Akira, INC, Qilin и BlackByte. ... что позволяло обходить защитные механизмы Windows и разворачивать в системе вымогатель Rhysida.

Multiple ransomware/wiper families are described as deleting Volume Shadow Copies and other recovery artifacts using built-in Windows tooling (e.g., vssadmin.exe delete shadows /all /quiet, wmic.exe shadowcopy delete, wbadmin.exe delete catalog -quiet) and disabling recovery (e.g., bcdedit /set {default} recoveryenabled no).

At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.