From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

1. TA505
A Study of High End Big
Game Hunting in 2020
Brandon Levene
ATT&CKCON
October 9th, 2020

2. Proprietary + Confidential
Opportunistically targeted
ransomware deployments, aka
Big Game Hunting (BGH), have caused
a distinct disruption in
the mechanics of monetizing
crimeware compromises.

3. Agenda Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04

4. Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04

5. Who is TA505?
Customer of Dridex banking Trojan as well as Locky and Jaff
Ransomware families from 2014-2017
NOT the developers of the tools above (that would be
EvilCorp
Shift to backdoors in 2018 which coincides with a decrease
in bespoke banking trojans and non-targeted ransomware
Rapidly shifted through initial loaders and secondary
payloads throughout 2018 and 2019, slowly shifted towards
Users* of CLOP ransomware (first seen in Feb 2019) as
primary monetization mechanism
There do not appear to be any other users, so this is likely another in-
house tool
Context and background

6. Proprietary + Confidential
Context and background

7. NETZSCH GROUP BASED IN GERMANY ALLEGEDLY
BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal
data after ransomware attack
Largest Privately-Owned Logistics
Company--EV Cargo Logistics
Ransomware Hits maastricht
University, all Systems
Taken Down
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline

8. Context and background
Threat actor process02
01
Lessons learned
Operational details03
04

9. Source: ANSSI https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
Threat actor process
Overview
TA505
Legitimate
compromised domain
Malicious
domain
Malicious email HTML + Javascript Redirecting URL Phishing page
Malicious office
document
Victim
Malware
1 SENDS
CONTAINS HOSTS
HOSTSHOSTS
6
DROPS AND
EXECUTES
2 3 4 5OPENS
REDIRECTION
DOWNLOADS
AND ACTIVATES THE
MACROS
REDIRECTION

10. Context and background
Threat actor process
Operational details
02
01
03
Lessons learned04

11. Operational details
Spear Phishing - T1192 + Spear Phishing Attachment - T1193
Initial Access

12. Operational details
User Execution + T1204 [.002]
Execution

13. Operational details
Ingress Tool Transfer - T1055
Command and control

14. Operational details
Process Injection - T1055
Defense Evasion and Priv Esc
Application Layer Protocol - T1071
Command and control

15. Operational details
Event Triggered Execution - T1546 (image file execution injections, sub .012)
Persistence

16. Operational details
Permission Groups Discovery - T1069
Discovery Subvert Trust Controls - T1553
Defense Evasion

17. Operational details
Data Encrypted for Impact - T1486
Impact

18. Operational details
Data Leak - Unmapped
Impact

19. Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04

20. Compliment defense in depth with detection in depth
Study TTPs to seize interdiction opportunities
Detecting the ransomware itself is too late
amateur
Visibility is key