Back

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

Oct. 1, 2024, 10:29 a.m.

Tags

ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen

External References

https://thedfirreport.com/

https://otx.alienvault.com/

Description

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved laterally with Impacket after credential harvesting. Data exfiltration was conducted using the Restic backup tool. Eight days after initial access, the attackers modified a privileged user's password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. The intrusion lasted 156 hours over 8 days, ending with file encryption and ransom notes left on affected systems.

Date

Published Created Modified
Oct. 1, 2024, 10:05 a.m. Oct. 1, 2024, 10:05 a.m. Oct. 1, 2024, 10:29 a.m.

Indicators

b3b1ff7e3d1d4f438e40208464cebfb641b434f5bf5cf18b7cec2d189f52c1b6

d15cab3901e9a10af772a0a1bdbf35b357ee121413d4cf542d96819dc4471158

9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63

726f038c13e4c90976811b462e6d21e10e05f7c11e35331d314c546d91fa6d21

5fac60f1e97b6eaae18ebd8b49b912c86233cf77637590f36aa319651582d3c4

5f7d438945306bf8a7f35cab0e2acc80cdc9295a57798d8165ef6d8b86fbb38d

5dc8b08c7e1b11abf2b6b311cd7e411db16a7c3827879c6f93bd0dac7a71d321

4ef1009923fc12c2a3127c929e0aa4515c9f4d068737389afb3464c28ccf5925

39ec2834494f384028ad17296f70ed6608808084ef403714cfbc1bfbbed263d4

4ee4e1e2cedf59a802c01fae9ccfcfde3e84764c72e7d95b97992addd6edf527

3298629de0489c12e451152e787d294753515855dbf1ce80bfcded584a84ac62

25172a046821bd04e74c15dc180572288c67fdff474bdb5eb11b76dce1b3dad3

94.156.67.180

91.92.251.240

91.92.250.66

91.92.250.60

91.92.250.65

91.92.250.158

91.92.250.148

91.92.249.110

91.92.247.127

91.92.245.26

91.92.247.123

91.92.245.174

91.92.242.39

91.92.242.182

91.92.241.117

195.123.226.84

91.92.240.194

194.49.94.22

194.49.94.21

194.49.94.18

194.180.48.165

194.180.48.42

194.169.175.134

193.42.33.14

185.73.124.238

141.98.6.195

94.156.67.175

91.92.245.175

91.92.240.175

94.156.67.188

94.156.67.185

91.92.242.55

http://118.0.0.0

Attack Patterns

BlackCat - S1068

Nitrogen

Noberus

ALPHV

Sliver

Cobalt Strike - S0154

T1021.002

T1069.002

T1069.001

T1087.001

T1003.001

T1039

T1569.002

T1021.001

T1055.001

T1547.004

T1059.006

T1070.001

T1048

T1135

T1053.005

T1490

T1482

T1574.002

T1018

T1059.003

T1059.001

T1189

T1071.001

T1036.005

T1204.002

T1486

T1105

T1570

T1047

T1055

T1036

T1098