EDR Bypass Testing Reveals Extortion Actor's Toolkit

Nov. 4, 2024, 11:31 a.m.

Description

Unit 42 investigated an extortion attempt where threat actors tested an AV/EDR bypass tool on rogue systems with Cortex XDR installed. The actors purchased network access via Atera RMM and used a BYOVD technique for the bypass tool. Researchers gained visibility into the actors' systems, uncovering tools, files, and identifying information. The bypass tool was traced to cybercrime forum posts by user KernelMode. Analysis revealed connections to Conti ransomware training materials and overlaps with known TTPs. A Kazakh company and individual were linked to the activity through exposed documents and video artifacts. The incident highlights the growing trend of AV/EDR bypass tools and the monetization of such capabilities in cybercrime forums.

External References

https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
https://otx.alienvault.com/pulse/67257a49dbe4d15742aebce1
Tags
extortion
cobalt strike
rclone
mimikatz
conti
sharphound
rubeus
byovd
2024-11-02
cortex xdr
safetykatz
cybercrime forums
threat actor profiling
av/edr bypass

Date

  • Created: Nov. 2, 2024, 1:03 a.m.
  • Published: Nov. 2, 2024, 1:03 a.m.
  • Modified: Nov. 4, 2024, 11:31 a.m.

Attack Patterns

  • SafetyKatz
  • Rubeus
  • Mimikatz
  • Rclone
  • SharpHound
  • Cobalt Strike - S0154
  • TA0006
  • TA0010
  • TA0007
  • TA0001
  • TA0008
  • TA0005
  • TA0003
  • TA0011

Additional Informations

  • Kazakhstan