Welcome to this week's edition of SCYTHE #ThreatThursday! Earlier this month we released a plan that covered some of the new indicators of compromise (IOC) associated with Black Basta. Our newest emulation continues to build off this latest reporting from SentinelLabs. Black Basta operators have a number of remote access trojan (RAT) tools at their disposal; this installment highlights one of these. Researchers observed the threat actor dropping a self-extracting archive containing the files needed to execute the Netsupport Manager application. Netsupport Manager is a multi-platform remote access/remote support tool that can provide one-to-many support, such as that typically used by IT Managed Service Providers (MSPs). Black Basta stages these files in C:\temp, with a self-extracting executable name of Svvhost.exe. When the file is executed, the installation files are extracted into C:\Users\[USER]\AppData\Roaming\MSN\. The Netsupport Manager RAT is then executed via a run.bat script.
We begin by creating the staging directory and downloading the Svvhost.exe file.
Next we emulate extraction of the files to C:\Users\[USER]\AppData\Roaming\MSN\ and execute the run.bat script.
The run.bat script consists of the following commands which allow Netsupport Manager to execute and run at startup.
Clean-up steps are included after a 3 minute delay to stop the process, delete the registry key, and remove the created directories and associated files inside.
Step | Request | SIGMA Rule(s) | Author(s) |
---|---|---|---|
Step Number | Request | SIGMA Rule(s) | Author(s) |
6 | downloader --src “VFS://shared/threats/BlackBasta/Svvhost.exe” --dest “C:\temp\Svvhost.exe” | Creation of an Executable by an Executable | frack113 |
7 | run C:\temp\Svvhost.exe -y -gm2 -o”%USERPROFILE%\AppData\Roaming\MSN\” | Suspicious In-Memory Module Execution | Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro |
Creation of an Executable by an Executable | frack113 | ||
8 | run %USERPROFILE%\AppData\Roaming\MSN\run.bat | Use of NetSupport Remote Access Software | frack113 |
Suspicious In-Memory Module Execution | Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro | ||
Reg Add RUN Key | Florian Roth | ||
Execution of NetSupport RAT From Unusual Location | Nasreddine Bencherchali | ||
Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | ||
CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
-SCYTHE AES Team
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
References: