Suspected Ransomware Attack with Custom-Made Tool

What’s going on?

• The researchers observed the attack in a client’s network in the gaming/gambling industry. The threat actors were targeting the industry across Central America and Europe.
• The attackers used a combo of custom-made, as well as open-source tools.
• Most notably, they used an altered version of Ligolo—Sockbot—a reverse tunneling tool that is available on GitHub. Along with it, they used another custom tool to dump credentials from LSASS.
• Some off-the-shelf open-source tools used by them, such as Cobalt Strike, Mimikatz, and Soft Perfect, are typically used by several other threat actors.
• They used legitimate accounts and stolen credentials to log into the victim accounts.

About Sockbot

• The adversaries altered Ligolo with additions that eliminated the use for command-line parameters and contained various execution checks to avoid running multiple instances.
• A customized Ligolo version is not a common addition in any threat actor’s arsenal; the only exception being MuddyWater APT.
• This modification allows threat actors to boost their security while executing the attack without risking any attempt of eavesdropping from investigators. 

Attribution

The bottom line