C0018, Campaign C0018 | MITRE ATT&CK®

C0018

C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]

ID: C0018
First Seen:  February 2022 [2]
Last Seen:  March 2022 [2]
Contributors: Flavio Costa, Cisco
Version: 1.0
Created: 17 January 2023
Last Modified: 14 February 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During C0018, the threat actors used HTTP for C2 communications.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During C0018, the threat actors used encoded PowerShell scripts for execution.[2][1]

Enterprise T1486 Data Encrypted for Impact

During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.[2][1]

Enterprise T1190 Exploit Public-Facing Application

During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.[2]

Enterprise T1105 Ingress Tool Transfer

During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.[2][1]

Enterprise T1570 Lateral Tool Transfer

During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.[2][1]

Enterprise T1036 Masquerading

During C0018, AvosLocker was disguised using the victim company name as the filename.[2]

.005 Match Legitimate Name or Location

For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe.[2]

Enterprise T1046 Network Service Discovery

During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.[2]

Enterprise T1571 Non-Standard Port

During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

During C0018, the threat actors used Base64 to encode their PowerShell scripts.[2][1]

Enterprise T1588 .002 Obtain Capabilities: Tool

For C0018, the threat actors acquired a variety of open source tools, including Mimikatz, Sliver, SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy.[2][1]

Enterprise T1219 Remote Access Software

During C0018, the threat actors used AnyDesk to transfer tools between systems.[2][1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.[1]

Enterprise T1072 Software Deployment Tools

During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.[2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

During C0018, the threat actors used rundll32 to run Mimikatz.[1]

Enterprise T1016 System Network Configuration Discovery

During C0018, the threat actors ran nslookup and Advanced IP Scanner on the target network.[1]

Enterprise T1033 System Owner/User Discovery

During C0018, the threat actors collected whoami information via PowerShell scripts.[1]

Enterprise T1047 Windows Management Instrumentation

During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (wmiprvse.exe) to execute a variety of encoded PowerShell scripts using the DownloadString method.[2][1]

Software

ID Name Description
S1053 AvosLocker

During C0018, the threat actors used AvosLocker ransomware to encrypt the compromised network.[1][2]

S0154 Cobalt Strike

[2]

S0002 Mimikatz

[2][1]

S0108 netsh

During C0018, the threat actors used netsh on a domain controller to ensure there was no existing firewall or to disable one.[1]

S0097 Ping

During C0018, the threat actors used a PowerShell script to execute Ping commands once every minute against a domain controller.[1]

S0633 Sliver

[2]

References