Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

Jan. 27, 2025, 2:25 p.m.

Description

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec. They conducted extensive reconnaissance and credential harvesting across multiple systems. After 11 days, they deployed LockBit ransomware using a combination of WMI and PsExec. The attack involved disabling Windows Defender, leveraging scheduled tasks, and exploiting legitimate processes. The threat actor exfiltrated data to MEGA.io and an FTP server before encrypting the environment.

External References

https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
https://otx.alienvault.com/pulse/6797832d54571a970f3c424d
Tags
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27

Date

  • Created: Jan. 27, 2025, 12:59 p.m.
  • Published: Jan. 27, 2025, 12:59 p.m.
  • Modified: Jan. 27, 2025, 2:25 p.m.

Indicators

  • d8b2d883d3b376833fa8e2093e82d0a118ba13b01a2054f8447f57d9fec67030
  • ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175
  • c4863cc28e01713e6a857b940873b0e5caedfd1fcb9b2a8d07ffb4c0c48379d5
  • c1173628f18f7430d792bbbefc6878bced4539c8080d518555d08683a3f1a835
  • ba9b879fdc304bd7f5554528fb8e858ef36ad4657fedfefb8495f43ce73fc6f1
  • b79bb3302691936df7c3315ff3ba7027f722fc43d366ba354ac9c3dac2e01d03
  • b4ad5df385ee964fe9a800f2cdaa03626c8e8811ddb171f8e821876373335e63
  • 9bcaad9184b182965923a141f52fb75ddd1975b99ab080869896cee5879ecfad
  • 791157675ad77b0ae9feabd76f4b73754a7537b7a9a2cc74bd0924d65be680e1
  • 7673a949181e33ff8ed77d992a2826c25b8da333f9e03213ae3a72bb4e9a705d
  • 59c9d10f06f8cb2049df39fb4870a81999fd3f8a79717df9b309fadeb5f26ef9
  • 578a2ac45e40a686a5f625bbc7873becd8eb9fe58ea07b1d318b93ee0d127d4e
  • 53828f56c6894a468a091c8858d2e29144b68d5de8ff1d69a567e97aac996026
  • 44cf04192384e920215f0e335561076050129ad7a43b58b1319fa1f950f6a7b6
  • 3f97e112f0c5ddf0255ef461746a223208dc0846bde2a6dca9c825d9c706a4e9
  • 3af3f2d08aa598ab4f448af1b01a5ad6c0f8e8982488ebf4e7ae7b166e027a8b
  • 2389b3978887ec1094b26b35e21e9c77826d91f7fa25b2a1cb5ad836ba2d7ec4
  • 10ce939e4ee8b5285d84c7d694481ebbdf986904938d07f7576d733e830ed012
  • 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88
  • retailadvertisingservices.com
  • compdatasystems.com
Download all indicators here!

Attack Patterns

  • GhostSOCKS
  • SystemBC
  • LockBit
  • Cobalt Strike - S0154