Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover

Description :
The Securonix Threat Research team observed a malicious campaign deploying SSLoad malware alongside Cobalt Strike implants and ScreenConnect RMM software, enabling the threat actors to infiltrate systems, gather sensitive data, and ultimately take over the victim's entire Windows domain. The initial infection vector was a phishing email containing a link to a JavaScript file that kicked off a multi-stage payload deployment. Once inside, the attackers were able to install RMM software, move laterally, extract credentials, and create a malicious domain admin account, compromising the organization's infrastructure.

Published	Created	Modified
2024-04-26 08:45:50	2024-04-26 08:45:50	2024-04-27 01:52:02

Indicators

IPv4s :

URLs :

Domains :

Malwares :

SSLoad
Cobalt Strike - S0154

Hashes :

c172abd808cc6216b309bc307fe69b821c7eaed35f874fd4684ab33b4291f95a
fad25892e5179a346cdbdbba1e40f53bd6366806d32b57fa4d7946ebe9ae8621
7206eafc475f246e7c9c258afdaaa64b5193c1c7427d927be417e53dec890078
ae610eb8f8622653b9be9692a7d2a680b0c2154022704ca58af0eaeed0066d03
09e7f7428e6ecc68ef036c0751f53985882f6760cf3892f1d26af44f3b9730de
805b59e48af90504024f70124d850870a69b822b8e34d1ee551353c42a338bf7
96212917b7b0dc881332db7ece0bacfe21d9ac713af1abe078f6d3e74baacd01
17ddc339b14845bc9d67c5c3cd9a0e617387cc0569131ff3641035d82043effa
db265ea1732935f61e8d0f7a20a8adc54e20af71b3cf4a737714cd3377c838f6
2b026343214c3d2c10fdfa9b04b7694e57ee8d3605fbf9a2e127fe6fa9a58309
791c28d4201e8b9ea5162fbee3908feb34793b1c51f5aaedc43916e86068248d
9fc48724cb9f70f774f7ed9e809e49979bd089dfd641896d8d5e3026f049b0af
65da6d9f781ff5fc2865b8850cfa64993b36f00151387fdce25859781c1eb711
4f52b4a2a781f366ed534d8c4b2fafef48a7848c4c20b4229b98747ca8ab06d3
b9dbe9649c761b0eee38419ac39dcd7e90486ee34cd0eb56adde6b2f645f2960
232f8f8dc9e5b9723c43c78cb942cc810ef56e305e4bd650110a484334f568a8
6e892aa13cbd4b71a1c476207abddb1ef830be04999809b4ef569488a37e47e0
75db4709428310c76656bf76f5de267ab490e43284312b374baf7582108300a9
f8fc9b40b946b742d6044f291914439727e1a7f53ea87562446f682b26cce65a
7018c43ee38190eae122797869865fd808817f31d766575b43b118ae176c0c68
4d9274cfe7a2bd9a125352271d1634708e1f9b1d70b056d1c1950cb98b8f91ff
9856b816a9d14d3b7db32f30b07624e4bcda7f1e265a7bb7a3e3476bfd54a759
e8979741f0355a47dae575ead8c829df47f282b4533ec1be4d63086515f9c449
0ede3cbe821e4f083fc119274f069c77e64a6a7e8a2c16530317b826a0939979
fc21a125287c3539e11408587bcaa6f3b54784d9d458facbc54994f05d7ef1b0
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f
ff5e40fc794e56fd78feb6eb6b30794970f7cdb4a767c4095e2d20a90bb0efe8
7dbebb7c76511fc063b5ace0a9359b655f66a55a494200b8fd11905c78b5fb90
dcae57ec4b69236146f744c143c42cc8bdac9da6e991904e6dbf67ec1179286a
2118c5b95d5d57492b2e8b8c0403e23b21acc4ff50282f8b6007ba89adfaa992
18d60c9c807da021bc2c31e3ba7ec2737865a8c96060134caa3cf033e43e26fe
caf8295570e8a8244c7099a8eabfd1bd55ea50f026b4461e9f0f5425d54703e8
08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3
780b970dad15835d138546be9b615fc1b4124c1060a8efd91b9c52f9c3160d5b
3584ca9c1e7e0a38e47f59bb16c21203a60833d0f826294d535a98e7ca76d9c1
6d7a94b7551f15732e193a07357375b98b463f0dce6b1fed871a42fcbdde9f48
ba3fa920708db856737a66f70e2c7e86bba73c73836f7f30c2ce42cd70d0c5bd
68e1caf530366b1890993185157c01161b3d625063d75a41c88d2d1bb8edfe02
63283e012f067a3ffb27ed4fe6803f740c80f6f65213fe5507f0cd1ee0019b96
5fb093a9348fcf4a81befda978c948796a8319fcabe7899c2cf5ba1419ec9d35
0737fa0b403fab17331c9835497a4f3b2955543e2fac85009dcc66df41a015f8
24cb279eebcd49e1327905ab2bd19b9b2e09efa3e0a5e1875f3989c398a5da81
08e82f1c0a033ab295b4d342c53970e4528e20933c614bda3bbc5d57bab20651
f5bf914415faf7587958bbdc3312536fd9abea647f1541d44d2e757f0e683650
a557f891f4d50e458d745c7eaf7d0be3eceea36f0398097e977cd3f6ec463875
828ef3e4ca064891836913015c48ac9807ecd43b32f6e7e4bff29b9fd2e218c9
7f97adff1d298ccf1f3c7991fcb01008dda22722ebbc11af48fcbf2adb58afb4
c122596e25a4dad1d46d4ab983f4ef15bfa7b65582b7c311f404036766498105
e8e76b851fc78d87fe58ad7d29bc6356a8965236d1b96c5f572334dd695d5de9
8f7a90b540f38712c9c1a5359c6333bbe1091102d6f621b22321e08352c84cfc
092962bc268390debf17cd148d03147cdf919e442e61c92de01eac3bdb34b1c1
7dff08656413a737483ecee2a50e412338ebfee3d36a1a5c04e74b25949b2306
ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f

Intrusion set :

FROZEN#SHADOW

MITRE ATT&CK Techniques :

T1071.002 T1078.002 T1218.007 T1069.002 T1218.011 T1518.001 T1070.004 T1059.007 T1057 T1047 T1573 T1059.001 T1219 T1059 T1033 T1102 T1083 T1082

External References

You can download the txt file containing the indicators by clicking on the button below:

Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover [Friday, April 26, 2024]

Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover

Tags

Indicators

External References

Julien B.

Securitricks

Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover [Friday, April 26, 2024]

Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover

Tags

Indicators

External References

Julien B.

IT threat evolution Q3 2023 [Tuesday, December 5, 2023]

APT29 Uses WINELOADER to Target German Political Parties [Monday, March 25, 2024]

SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT [Tuesday, November 7, 2023]

Raspberry Robin and its new anti-emulation trick [Monday, April 08, 2024]

Gaza Cybergang | Unified Front Targeting Hamas Opposition [Thursday, December 14, 2023]

Securitricks