Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration

by Joelson Soares, Erika Mendoza, and Jay Yaneza

Trend Micro’s Managed XDR (MxDR) and Incident Response (IR) teams recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020. What makes Nefilim especially devious is that the threat actors behind the attack threaten to release the victim’s stolen data on an online leak site.

This represents a double whammy for the company—besides the threat of losing their data, they’re also at risk of having it published online. Even if the organization pays the ransom and gets its data restored, the threat actors behind the attack will still have access to it. This kind of scheme isn’t unique; it has also been observed on other ransomware such as Sodinokibi and DoppelPaymer.

Timeline of the attack

The following events, which occurred on the same day in mid-March 2020, were observed using Trend Micro Deep Discovery Inspector (DDI).

DDI first observed an attempt to download a malicious file (detected as Trojan.Win64.NEFILIM.A) that is used to download a RAR archive from a VPS-hosted server. A few hours later, there was an attempt to download a RAR archive containing multiple files, the details of which are described below:

• The ransomware file itself
• Psexec.exe, to executes remote commands
• A batch file to stop services/kill processes
• A batch file that uses ‘copy’ command to distribute the batch file that stops services/kills processes to multiple hosts, on c:\Windows\Temp
• A batch file that uses ‘copy’ command to spread the ransomware file to multiple hosts, on c:\Windows\Temp
• A batch file that utilizes WMI to distribute the batch file that stop services/kill processes to multiple hosts, on c:\Windows\Temp. Contains hard-coded admin credentials.
• A batch file that utilizes WMI to distribute the ransomware file to multiple hosts, on c:\Windows\Temp. Contains hard-coded admin credentials.
• A batch file that executes psexec.exe to remotely execute the batch file to stop services/kill processes. Contains hard-coded admin credentials.
• A batch file that executes psexec.exe to execute the ransomware file remotely. Contains hard-coded admin credentials.
• A batch file that utilizes WMI to remotely execute the batch file to stop services/kill processes. Contains hard-coded admin credentials.
• A batch file that utilizes WMI to execute the ransomware remotely. Contains hard-coded admin credentials.

After downloading the RAR archive, a combination of the batch files mentioned above was used in tandem to ensure success:

• Use a combination of the batch files above, and make sure that the distribution of the batch file that stops services/kills processes and the ransomware was done via copy command or WMI
• Remote execution be made possible through stolen admin credentials via PSexec or WMI

Trend Micro Deep Security™ (DS) also observed suspicious activity in the system, beginning with the calling of behavior blocking (terminate action) for taskill.exe using CMD. Next, remote code execution activities via SMBv1 and PSExec were observed in the system.  Finally, the Nefilim ransomware was detected.

From the timeline, we can see the sequence of infection based on the DDI logs — starting with Trojan.Win64.NEFILIM.A, which downloaded a RAR file leading to lateral movement within the system through the use of batch files. The target machine, in this instance, is a remotely-accessible Citrix server. It is unclear if the attacker had access to the server or if the initial downloader was deployed through other means (i.e., phishing, vulnerabilities).

In addition, the contents of the RAR package suggest that the attacker is familiar with the victim’s environment. Internal IP addresses, administrator usernames and passwords, services, and processes were all specifically listed in the batch files. Furthermore, data from Trend Micro Smart Protection Network (SPN) only showed two hits — one corresponding to this incident and another one in the United States —indicating that this attack was a highly targeted one. 

Note that while the previous article discussed the use of exposed Remote Desktop Protocol (RDP) ports as entry points into the system, the threat actors could have used other entry points in this particular examined incident. However, it is highly likely that they used some form of remote access to gain direct access to the environment. 

Combining data theft and ransomware

What can be observed from this incident is that the threat actors behind it are not just relying on Nefilim alone. They might already have exfiltrated the data even before they launched a full-on ransomware attack.

This case shows the importance of focusing not only on spotting signs of attack, but also sniffing out any evidence of lateral movement and data exfiltration within the environment. An attack’s point of entry may not be where the important data is found; therefore, threat actors would need to be able to move around within the environment (host-to-host) to get to the parts of the system where the juicier data is stored. Being able to identify unusual outbound traffic patterns for hosts (host-to-external) is equally important, as this represents potential data exfiltration.

Considering third-party security services such as Trend Micro™ Managed XDR

The methods utilized were observed time-and-time again, even for threat actors that utilize different ransomware like RYUK.

In an era where work has extended beyond the office, the need for effective security implementation is more critical than it has ever been. While large organizations might have the capability to build security teams that can keep track of the work environment in both office and work-from-home settings, smaller businesses might not have the required resources to do so.

In this case, third-party security services such as Trend Micro™ Managed XDR can help bolster an organization’s security posture by providing a wide range of visibility and expert security analytics that integrates detection and response functions across networks, endpoints, emails, servers, and cloud workloads.

By using advanced analytics and artificial intelligence (AI) techniques, the Managed XDR team monitors the organization’s IT infrastructure 24/7, allowing the correlation and prioritization of alerts according to the level of severity. Organizations can have access to experienced cybersecurity professionals who can expertly perform a root cause analysis to get an understanding of how attacks are initiated, how far threats have spread across the network, and what remediation steps they need to take.

Indicators of compromise