TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit

    Wednesday, November 13, 2024 In: Threat Research Print

    Date: 11/13/2024

    Severity: Critical 

    Summary

    This article examines an incident in which a threat actor attempted, unsuccessfully, to bypass Cortex XDR. Our investigation offered insight into the threat actor's methods, revealing that they had purchased access to the client’s network via Atera RMM from an initial access broker. The attacker set up rogue systems to install the Cortex XDR agent on a virtual machine, testing a new AV/EDR bypass tool that exploited the "bring your own vulnerable driver" (BYOVD) technique. 

    Indicators of Compromise (IOC) List 

    Domains\URLs :

    beamofthemoon.com

    mail.beamofthemoon.com

    store.beamofthemoon.com

    IP Address : 

    94.75.225.81

    82.192.88.95

    89.251.22.32

    180.131.145.85

    Hash :

    3758c5eb1fbab2362ef23091f082710606c1b4ebaeaff9b514896dc2a1e2ab17

1228fd70d7ce0f31f7e7c98520e66a01935e428be561ce0d25140ba33598f688

6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143

6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143

14364f1969b83cf4ec2c0e293c6b4d8f750932f6cbf9a8f32173400de33469fd

264a29a703682456ebe9f679a0e7d18291af84ef4b53a669c2555061e4972394

61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

8d36705a5b7f6179fdef2d600276f9c0cc6cb3b0a670c11d66baaaea6bd2c8ad

41f32a3d67b3f983c82070e067a121dd5b8fae2804c97e684acc7f599ba308da

6e37a054bd7c49b233cace747951911f320bd43be8a79ce455b97403c2f7de2c

aa97acd5628c1f7a16cb98e7b9ce7228119759133f1649b1d5ed849a1a98448b

97f2676c6d1e16264584ce4c1f1e8790598ba2a85ae08e3d6e394669240b9908

0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298

7c8559134a49c8d8739b66a549f10b22d4fd16afaff51976562f995b2bcd01a9

1228fd70d7ce0f31f7e7c98520e66a01935e428be561ce0d25140ba33598f688

22f52c9e66330642e836aaf1b6573dd7452e76e0f0b5e6ac594a0278689e1d8f

49d01f2e32808e24dc8129d3c1ebe444f71792ddec2efabee354335fc6d6f64c

71dfb3f52df040644221f8c59215f83eb516186b6f82dbbb2c16bf3c22e4baf6

d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb

8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a

f1c45cbbd98619e197154085a05fd972283af6788343aa04492e35798a06e2b7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    userdomainname like "beamofthemoon.com" or url like "beamofthemoon.com" or userdomainname like "mail.beamofthemoon.com" or url like "mail.beamofthemoon.com" or userdomainname like "store.beamofthemoon.com" or url like "store.beamofthemoon.com" 

    IP Address :

    dstipaddress IN ("89.251.22.32","82.192.88.95","180.131.145.85","94.75.225.81") or ipaddress IN ("89.251.22.32","82.192.88.95","180.131.145.85","94.75.225.81") or publicipaddress IN ("89.251.22.32","82.192.88.95","180.131.145.85","94.75.225.81") or srcipaddress IN ("89.251.22.32","82.192.88.95","180.131.145.85","94.75.225.81")

    Hash : 

    sha256hash IN ("0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298","6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143","6e37a054bd7c49b233cace747951911f320bd43be8a79ce455b97403c2f7de2c","61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1","f1c45cbbd98619e197154085a05fd972283af6788343aa04492e35798a06e2b7","d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb","8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a","3758c5eb1fbab2362ef23091f082710606c1b4ebaeaff9b514896dc2a1e2ab17","1228fd70d7ce0f31f7e7c98520e66a01935e428be561ce0d25140ba33598f688","14364f1969b83cf4ec2c0e293c6b4d8f750932f6cbf9a8f32173400de33469fd","264a29a703682456ebe9f679a0e7d18291af84ef4b53a669c2555061e4972394","8d36705a5b7f6179fdef2d600276f9c0cc6cb3b0a670c11d66baaaea6bd2c8ad","41f32a3d67b3f983c82070e067a121dd5b8fae2804c97e684acc7f599ba308da","aa97acd5628c1f7a16cb98e7b9ce7228119759133f1649b1d5ed849a1a98448b","97f2676c6d1e16264584ce4c1f1e8790598ba2a85ae08e3d6e394669240b9908","7c8559134a49c8d8739b66a549f10b22d4fd16afaff51976562f995b2bcd01a9","22f52c9e66330642e836aaf1b6573dd7452e76e0f0b5e6ac594a0278689e1d8f","49d01f2e32808e24dc8129d3c1ebe444f71792ddec2efabee354335fc6d6f64c","71dfb3f52df040644221f8c59215f83eb516186b6f82dbbb2c16bf3c22e4baf6")

    Reference:

    https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ 


    Tags

    MalwareExtortion

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.