Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration

by Joelson Soares, Erika Mendoza, and Jay Yaneza

Trend Micro’s Managed XDR (MxDR) and Incident Response (IR) teams recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020. What makes Nefilim especially devious is that the threat actors behind the attack threaten to release the victim’s stolen data on an online leak site.

This represents a double whammy for the company—besides the threat of losing their data, they’re also at risk of having it published online. Even if the organization pays the ransom and gets its data restored, the threat actors behind the attack will still have access to it. This kind of scheme isn’t unique; it has also been observed on other ransomware such as Sodinokibi and DoppelPaymer.

Timeline of the attack

The following events, which occurred on the same day in mid-March 2020, were observed using Trend Micro Deep Discovery Inspector (DDI).

DDI first observed an attempt to download a malicious file (detected as Trojan.Win64.NEFILIM.A) that is used to download a RAR archive from a VPS-hosted server. A few hours later, there was an attempt to download a RAR archive containing multiple files, the details of which are described below:

  • The ransomware file itself
  • Psexec.exe, to executes remote commands
  • A batch file to stop services/kill processes
  • A batch file that uses ‘copy’ command to distribute the batch file that stops services/kills processes to multiple hosts, on c:\Windows\Temp
  • A batch file that uses ‘copy’ command to spread the ransomware file to multiple hosts, on c:\Windows\Temp
  • A batch file that utilizes WMI to distribute the batch file that stop services/kill processes to multiple hosts, on c:\Windows\Temp. Contains hard-coded admin credentials.
  • A batch file that utilizes WMI to distribute the ransomware file to multiple hosts, on c:\Windows\Temp. Contains hard-coded admin credentials.
  • A batch file that executes psexec.exe to remotely execute the batch file to stop services/kill processes. Contains hard-coded admin credentials.
  • A batch file that executes psexec.exe to execute the ransomware file remotely. Contains hard-coded admin credentials.
  • A batch file that utilizes WMI to remotely execute the batch file to stop services/kill processes. Contains hard-coded admin credentials.
  • A batch file that utilizes WMI to execute the ransomware remotely. Contains hard-coded admin credentials.

After downloading the RAR archive, a combination of the batch files mentioned above was used in tandem to ensure success:

  • Use a combination of the batch files above, and make sure that the distribution of the batch file that stops services/kills processes and the ransomware was done via copy command or WMI
  • Remote execution be made possible through stolen admin credentials via PSexec or WMI

Trend Micro Deep Security™ (DS) also observed suspicious activity in the system, beginning with the calling of behavior blocking (terminate action) for taskill.exe using CMD. Next, remote code execution activities via SMBv1 and PSExec were observed in the system.  Finally, the Nefilim ransomware was detected.

From the timeline, we can see the sequence of infection based on the DDI logs — starting with Trojan.Win64.NEFILIM.A, which downloaded a RAR file leading to lateral movement within the system through the use of batch files. The target machine, in this instance, is a remotely-accessible Citrix server. It is unclear if the attacker had access to the server or if the initial downloader was deployed through other means (i.e., phishing, vulnerabilities).

In addition, the contents of the RAR package suggest that the attacker is familiar with the victim’s environment. Internal IP addresses, administrator usernames and passwords, services, and processes were all specifically listed in the batch files. Furthermore, data from Trend Micro Smart Protection Network (SPN) only showed two hits — one corresponding to this incident and another one in the United States —indicating that this attack was a highly targeted one. 

Note that while the previous article discussed the use of exposed Remote Desktop Protocol (RDP) ports as entry points into the system, the threat actors could have used other entry points in this particular examined incident. However, it is highly likely that they used some form of remote access to gain direct access to the environment. 

Combining data theft and ransomware

What can be observed from this incident is that the threat actors behind it are not just relying on Nefilim alone. They might already have exfiltrated the data even before they launched a full-on ransomware attack.

This case shows the importance of focusing not only on spotting signs of attack, but also sniffing out any evidence of lateral movement and data exfiltration within the environment. An attack’s point of entry may not be where the important data is found; therefore, threat actors would need to be able to move around within the environment (host-to-host) to get to the parts of the system where the juicier data is stored. Being able to identify unusual outbound traffic patterns for hosts (host-to-external) is equally important, as this represents potential data exfiltration.

Considering third-party security services such as Trend Micro™ Managed XDR

The methods utilized were observed time-and-time again, even for threat actors that utilize different ransomware like RYUK.

In an era where work has extended beyond the office, the need for effective security implementation is more critical than it has ever been. While large organizations might have the capability to build security teams that can keep track of the work environment in both office and work-from-home settings, smaller businesses might not have the required resources to do so.

In this case, third-party security services such as Trend Micro™ Managed XDR can help bolster an organization’s security posture by providing a wide range of visibility and expert security analytics that integrates detection and response functions across networks, endpoints, emails, servers, and cloud workloads.

By using advanced analytics and artificial intelligence (AI) techniques, the Managed XDR team monitors the organization’s IT infrastructure 24/7, allowing the correlation and prioritization of alerts according to the level of severity. Organizations can have access to experienced cybersecurity professionals who can expertly perform a root cause analysis to get an understanding of how attacks are initiated, how far threats have spread across the network, and what remediation steps they need to take.

Indicators of compromise

SHA-256 Trend Micro Pattern Detection Trend Micro Machine Learning Detection
08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641 Ransom.Win32.NEFILIM.A Troj.Win32.TRX.XXPE50FFF034
7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599 Ransom.Win32.NEFILIM.C Troj.Win32.TRX.XXPE50FFF034
205ddcd3469193139e4b93c8f76ed6bdbbf5108e7bcd51b48753c22ee6202765 Ransom.Win32.NEFILIM.D Troj.Win32.TRX.XXPE50FFF034
5da71f76b9caea411658b43370af339ca20d419670c755b9c1bfc263b78f07f1 Ransom.Win32.NEFILIM.D Troj.Win32.TRX.XXPE50FFF034
fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7 Ransom.Win32.NEFILIM.D Troj.Win32.TRX.XXPE50FFF034
f51f128bca4dc6b0aa2355907998758a2e3ac808f14c30eb0b0902f71b04e3d5 Ransom.Win32.NEFILIM.D
ee9ea85d37aa3a6bdc49a6edf39403d041f2155d724bd0659e6884746ea3a250 Trojan.Win64.NEFILIM.A

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.