Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Essential information
- Published
- 27/01/2025 12:59
- Modified
- 27/01/2025 14:25
- Tags
- 2025-01-27 cobalt strike exfiltration ghostsocks lateral movement lockbit ransomware rclone systembc
- Related entities
- 21 observables, 4 malware
Description
This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec. They conducted extensive reconnaissance and credential harvesting across multiple systems. After 11 days, they deployed LockBit ransomware using a combination of WMI and PsExec. The attack involved disabling Windows Defender, leveraging scheduled tasks, and exploiting legitimate processes. The threat actor exfiltrated data to MEGA.io and an FTP server before encrypting the environment.