Guest contributors to this blog: Brian Kerns and Vedran Tomljanovic.
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that short list. One of the AT&T Managed Threat Detection and Response customers almost had an incident at the crossroads of taxes and ransomware, but thanks to the SentinelOne advanced EDR platform, the attack was quickly detected and stopped automatically. Then, the combined efforts of the MTDR SOC, Threat Hunters, and the AT&T Alien Labs team lead to a swift customer escalation, root cause discovery, and analysis of what turned out to be the surprisingly still effective and relevant activity of the Sodinokibi ransomware gang.
Initial Alarm Review:
The MTDR SOC received two SentinelOne Malware Detected alarms related to a malicious file running from a user’s temp folder on the same host:
Attackers often trick users into opening these malicious files by making them look legitimate. From the events from SentinelOne, we can see that the file was likely inside of a zip file which the user opened and double-clicked on. We can also see the Mitigation Status is “Mitigated” and the action of “Kill” was successful 4 times.
While there were no additional malware related Alerts and the potentially malicious process was killed successfully and autonomously, this was an important event to bring up and investigate deeper into. These two malware events were added to an Investigation and the client was notified per their incident response plan (IRP).
From a high level, we can see that a registry key gets created, a value gets written, and we see three 3 possible locations in an array that the stage 2 download could come from. Looking deeper in the strings in memory, we can see the built URL:
We then turned to the AT&T Alien Labs Open Threat Exchange to see what else we could learn about these domains. We found similar observed uniform resource identifier (URI) patterns and determined that one of the possible download locations, www[.]leschiensdelabistade[.]fr, is a known bad domain for Sodinokibi Ransomware (also known as BlueCrab).:
When we provided the longshotproductions[.]tv domain with the client, they discovered it was one of the two URLs in the user’s browser history that occurred around the time of the alerts:
This site stood out because it was HTTP, and therefore less secure, and because the domain name itself doesn’t suggest that it’s a resourceful site for discussing tax information. Clicking on the link shows this page:
The page is extremely suspicious and sparse and contains a link for a download to answer what should be a straightforward question.
When you hover to see where that link goes:
Compare that to our assumed delivery link: