A cyber adversary in possession of both ransomware and point-of-sale malware was recently found to have obtained “a deep level of access” to the infrastructures of at least two targets, including a U.S.-based aluminum and stainless steel gratings company, researchers have reported.
Judging by the choice of targets, the actor has a particular interest in medium-sized organizations that operate in the industrial sector, according to a Nov. 4 blog post by Cisco’s Talos security intelligence and research group.
Talos has not publicly provide any details on the second victim, but both targets were privately notified of the compromise.
The researchers uncovered the two victims while examining a malicious server they had discovered. The server hosted seven DopplePaymer ransomware binaries that were uploaded between Oct. 5 and Oct. 20, a sample of TinyPOS point-of-sale software that was uploaded on Sept. 26, and an svchost.exe malicious loader. Additionally, they observed the post-exploitation credentials-dumping tool Mimikatz, the PsExec command-line tool that lets users execute processes on remote systems, and the crash dump creation tool Procdump.
In addition to the malicious code, the server’s contents included a screenshot from a HPE Data Protector management interface used by the aforementioned gratings company. This is what allowed the researchers to identify the victim.
“This screenshot contains some important information for the adversary. On one side, it shows which servers are being backed up on another shows which ones are important to the victim,” explained the blog post, written by researchers Warren Mercer, Paul Rascagneres and Vitor Ventura. “This, in conjunction with the ransomware located on the server, indicates the intent of deploying ransomware on the infrastructure, showing a manual and targeted approach more advanced than the simple execution of malware.”
The second victim was identified via an uploaded dump of a process called lsass.exe, which manages credentials on Windows.
“The content of the dump showed us the hostname and Windows domain of the system and the ‘support’ username. To perform the process dump, the attacker had high privileges on the system. This would help him to perform lateral movement. [This suggests] a manual and targeted approach to this target,” the researchers stated.
Additionally, the researchers noted that the attackers were using a WinRAR self-extracting archive to extract the ransomware, and then would execute a command containing a hard-coded path, which indicates that the attackers were familiar with or had compromised the targets’ infrastructure.
Meanwhile, the researchers found that the TinyPOS malware, which searches for and swipes track 1 and 2 credit card information and exfiltrates that data to a hard-coded C2 address. TinyPOS’ corresponding IP resolved to domains featuring URL addresses using the term “tech support.” For this reason, Talos believes the attackers had plotted out a fake tech support scam as part of their operation.