{ "name": "Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware", "slug": "nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware", "description": "A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved laterally with Impacket after credential harvesting. Data exfiltration was conducted using the Restic backup tool. Eight days after initial access, the attackers modified a privileged user's password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. The intrusion lasted 156 hours over 8 days, ending with file encryption and ransom notes left on affected systems.", "published": "2024-10-01T08:05:23+00:00", "created_at": "2024-10-01T08:05:23+00:00", "modified_at": "2024-10-01T08:29:39+00:00", "created_at_opencti": "2024-10-01T08:05:23+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-01", "alphv", "blackcat", "cobalt strike", "credential harvesting", "data exfiltration", "lateral movement", "nitrogen", "noberus", "ransomware", "sliver" ], "related_entities": { "observables": [ { "id": "", "name": "94.156.67.180" }, { "id": "", "name": "91.92.251.240" }, { "id": "", "name": "91.92.250.66" }, { "id": "", "name": "91.92.250.60" }, { "id": "", "name": "91.92.250.65" }, { "id": "", "name": "91.92.250.158" }, { "id": "", "name": "91.92.250.148" }, { "id": "", "name": "91.92.249.110" }, { "id": "", "name": "91.92.247.127" }, { "id": "", "name": "91.92.245.26" }, { "id": "", "name": "91.92.247.123" }, { "id": "", "name": "91.92.245.174" }, { "id": "", "name": "91.92.242.39" }, { "id": "", "name": "91.92.242.182" }, { "id": "", "name": "91.92.241.117" }, { "id": "", "name": "195.123.226.84" }, { "id": "", "name": "91.92.240.194" }, { "id": "", "name": "194.49.94.22" }, { "id": "", "name": "194.49.94.21" }, { "id": "", "name": "194.49.94.18" }, { "id": "", "name": "194.180.48.165" }, { "id": "", "name": "194.180.48.42" }, { "id": "", "name": "194.169.175.134" }, { "id": "", "name": "193.42.33.14" }, { "id": "", "name": "185.73.124.238" }, { "id": "", "name": "141.98.6.195" }, { "id": "", "name": "94.156.67.175" }, { "id": "", "name": "91.92.245.175" }, { "id": "", "name": "91.92.240.175" }, { "id": "", "name": "94.156.67.188" }, { "id": "", "name": "94.156.67.185" }, { "id": "", "name": "91.92.242.55" }, { "id": "", "name": "http://118.0.0.0" }, { "id": "", "name": "b3b1ff7e3d1d4f438e40208464cebfb641b434f5bf5cf18b7cec2d189f52c1b6" }, { "id": "", "name": "d15cab3901e9a10af772a0a1bdbf35b357ee121413d4cf542d96819dc4471158" }, { "id": "", "name": "9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63" }, { "id": "", "name": "726f038c13e4c90976811b462e6d21e10e05f7c11e35331d314c546d91fa6d21" }, { "id": "", "name": "5fac60f1e97b6eaae18ebd8b49b912c86233cf77637590f36aa319651582d3c4" }, { "id": "", "name": "5f7d438945306bf8a7f35cab0e2acc80cdc9295a57798d8165ef6d8b86fbb38d" }, { "id": "", "name": "5dc8b08c7e1b11abf2b6b311cd7e411db16a7c3827879c6f93bd0dac7a71d321" }, { "id": "", "name": "4ef1009923fc12c2a3127c929e0aa4515c9f4d068737389afb3464c28ccf5925" }, { "id": "", "name": "39ec2834494f384028ad17296f70ed6608808084ef403714cfbc1bfbbed263d4" }, { "id": "", "name": "4ee4e1e2cedf59a802c01fae9ccfcfde3e84764c72e7d95b97992addd6edf527" }, { "id": "", "name": "3298629de0489c12e451152e787d294753515855dbf1ce80bfcded584a84ac62" }, { "id": "", "name": "25172a046821bd04e74c15dc180572288c67fdff474bdb5eb11b76dce1b3dad3" } ], "malware": [ { "id": "legacy:malware:57f5f768df634c63", "name": "BlackCat - S1068", "slug": "blackcat-s1068" }, { "id": "legacy:malware:d80dab391d3d7475", "name": "Nitrogen", "slug": "nitrogen" }, { "id": "legacy:malware:0d729aad6e4a08a8", "name": "Noberus", "slug": "noberus" }, { "id": "legacy:malware:3f7697d87ccd7a64", "name": "ALPHV", "slug": "alphv" }, { "id": "legacy:malware:e7896b82b9fcccbb", "name": "Sliver", "slug": "sliver" }, { "id": "ab138766-9b64-4880-87fb-1942a709d778", "name": "Cobalt Strike - S0154", "slug": "cobalt-strike-s0154" } ], "attack_patterns": [ { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7", "name": "T1069.002" }, { "id": "7f478f8c-06a4-4ce6-ac08-2947bca8463c", "name": "T1069.001" }, { "id": "a6b6df0a-93c1-4ddf-8403-2bc47590f9fe", "name": "T1087.001" }, { "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d", "name": "T1003.001" }, { "id": "a1de6d30-7fd6-4352-8f6c-d9904347f33f", "name": "T1039" }, { "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3", "name": "T1569.002" }, { "id": "195d9773-4de3-4f61-b94d-a2b53cb65608", "name": "T1021.001" }, { "id": "02abb0a8-0ebf-433b-987f-e25675af60d6", "name": "T1055.001" }, { "id": "45bf8bb0-9e32-433d-86b3-31fb50d352d9", "name": "T1547.004" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "0ca071fb-4f52-4672-b64a-75deff57d874", "name": "T1048" }, { "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5", "name": "T1135" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "a15721d2-76b1-4869-bd1f-819afb6e368d", "name": "T1482" }, { "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d", "name": "T1574.002" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56", "name": "T1570" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" } ] }, "external_refs": [ "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/", "https://otx.alienvault.com/pulse/66fbc964f7ba3b0e7f74c5df" ] }