One of the most common payloads delivered by Hancitor these days is Ficker
stealer, which is actively advertised on various underground forums and is capable of extracting data from various web-browsers, mail clients, cryptocurrency wallets, etc. However, Cobalt Strike usage deserves more attention.
During the post-exploitation phase, the threat actors rely mostly on Cobalt Strike, leveraging its capabilities on various stages of attack lifecycle.
From execution perspective, just like many other ransomware operators, they used jump psexec
and jump psexec_psh
, and relied heavily on SMB Beacons, commonly using generic pipe names. In some cases, they also used less common techniques, such as WMI and WinRM to execute the Beacon stagers on remote hosts.
As Cobalt Strike has credential dumping capabilities, the threat actors leverage mimikatz's sekurlsa::logonpasswords
. At the same time, in some cases they use a separate binary to run mimikatz on some hosts. This tool is also used for enabling lateral movement capability with obtained hashes and mimikatz's sekurlsa::pth
The Beacon's capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping – it's a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares. Built-in tools were also abused. For example, adversary used net view
command to collect information about the hosts in the network and nltest
utility to collect information about the compromised domain.
Besides Cobalt Strike's capabilities to run the Beacon stagers on remote hosts, the attackers used Remote Desktop Protocol to move laterally. They have a batch script called rdp.bat
in their arsenal, which is used to enable RDP connections and add corresponding firewall rule on the target host. Similar scripts were observed to be used by ProLock
Ficker stealer wasn't the only publicly advertised tool in the threat actors' arsenal. Another tool, which is becoming more and more popular among various ransomware operators – SystemBC
. Such additional backdoors allowed the attackers to download and execute additional payloads even if Cobalt Strike activity was detected and blocked.
The approach to ransomware deployment is quite trivial, but still effective. Like many others, the threat actors usually leveraged PsExec for deployment.
The exfiltrated data is published on a dedicated Cuba DLS (Data Leak Site).