RUDEBIRD

The process was executed with the parent process ( w3wp.exe ) coming from a Microsoft Exchange application pool. This is consistent with the exploitation of an unpatched Exchange vulnerability, and prior research supports that hypothesis.

After the initial enumeration stage, RUDEBIRD operates as a traditional backdoor with the following capabilities... Launch new processes

MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.

Upon establishing a connection to C2, The malware downloads executable files from C2... then extracts the entry point and modifies memory protections to allow execution using the VirtualProtect API. Payload execution in the same process

The attacker created two DLLs (swprvs.dll and appmgmt.dll)... An ‘s’ was added to the filename of the legitimate swprv.dll and the ‘s’ was removed from the legitimate appmgmts.dll.

Upon establishing a connection to C2, The malware downloads executable files from C2... then extracts the entry point and modifies memory protections to allow execution using the VirtualProtect API. Payload execution in the same process

the HUI loader (msedge_elf.dll), which de-obfuscated the file log.ini to reveal a Cobalt Strike reflective Loader

the actor frequently abused endpoint protection software binaries to sideload their malicious payloads.

MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.

The malware gathers key information about the compromised system: The computer's name is obtained using the GetComputerNameW function... The processor architecture information is acquired using the GetNativeSystemInfo function... The ProductName, EditionID, and CurrentBuildNumber are extracted from the designated registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion

After the initial enumeration stage, RUDEBIRD operates as a traditional backdoor with the following capabilities: Retrieve victim’s desktop directory path Retrieve disk volume information Perform file/directory enumeration...

RUDEBIRD used PsExec ( exec.exe ) to execute itself from the SYSTEM account and then move laterally from victim 0 to another targeted host. "C:\windows\help\exec.exe" /accepteula \\{victim-1} -d -s C:\windows\debug\RVTDM.EXE

RUDEBIRD used PsExec ( exec.exe ) to execute itself from the SYSTEM account and then move laterally from victim 0 to another targeted host.

the overall goal behind the campaign was to maintain access to the target network for cyberespionage... deploying various malware implants for command-and control (C2) communications... Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor... Deployment of several samples of... PocoProxy for persistent C2 communications.