Skip to content

PHOSPHORUS Ransomware Operations by DEV-0270

Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group | Vumetric Cyber Portal

Multiple ransomware campaigns have been observed by Microsoft threat intelligence teams, and these assaults have been linked to DEV-0270, also known as Nemesis Kitten, a division of the Iranian actor PHOSPHORUS. Microsoft determines that DEV-0270 performs harmful network operations, such as broad vulnerability scanning, on behalf of the Iranian government with a moderate degree of confidence. We estimate with low confidence that some of DEV-0270’s ransomware assaults are a kind of moonlighting for personal or company-specific money creation, although this is based on their geographic and sectoral targeting, which frequently lacked a strategic benefit for the regime. The strategies and methods used in the DEV-0270/PHOSPHORUS ransomware campaigns are described in this blog. We anticipate that Microsoft will use our analysis to further expose and prevent the progress of DEV-0270’s operations while protecting users from similar assaults.

PHOSPHORUS Ransomware Operations by DEV-0270 is renowned for adopting newly revealed vulnerabilities quickly and for using exploits for high-severity vulnerabilities to get access to devices. Living-off-the-land binaries (LOLBINs) are also used by DEV-0270 along the attack chain for credential access and discovery. This includes using the integrated BitLocker tool improperly to encrypt files on infected machines.

The time to ransom (TTR) between initial access and the ransom letter was as little as two days in some cases where encryption was successful. For decryption keys, the organization has been seen requesting USD 8,000. The actor has also been seen looking into other potential sources of cash for their activities. In one incident, the actor decided to offer the firm’s stolen data for sale packaged in a PHOSPHORUS SQL database dump after the victim organization declined to pay the demanded ransom.

This blog describes the group’s tactics and procedures throughout its end-to-end attack chain using these findings to aid defenders in the identification, investigation, and prevention of attacks. We also offer in-depth hunting questions intended to uncover covert PHOSPHORUS attacks. This blog also gives security and hardening advice to aid organizations in becoming more immune to attacks like these.

Infection chain describing the usual tactics and techniques used by DEV-0270 actor group.
Figure 1. Typical DEV-0270 attack chain

PHOSPHORUS: Who is DEV-0270?

According to Microsoft, Secnerd (secnerd[.]ir) and Lifeweb are the two public aliases used by the organization that runs PHOSPHORUS Ransomware Operations by DEV-0270 (lifeweb[.]ir). We have seen a lot of infrastructure overlap between Secnerd/Lifeweb and DEV-0270. These groups are associated with Najee Technology Hooshmand (ناجی تکنولوژی هوشمند), which is based in Karaj, Iran.

Targeting by the group is often opportunistic; the actor searches the internet for servers and devices that are open to attack, rendering organizations with such servers and devices exposed to such attacks.

Microsoft directly informs customers who have been targeted or hacked, giving them the information they need to protect their accounts, as with any observed nation-state actor behavior. Up until we reach a high degree of confidence regarding the origin or identity of the actor behind the activity, Microsoft uses the DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity. This enables Microsoft Threat Intelligence Center (MSTIC) to track it as a distinct set of information. A DEV gets transformed into a named actor once it satisfies the requirements.

PHOSPHORUS: Observed actor activity

Initial Access

The actor got access to several of the DEV-0270 cases that were observed by utilizing well-known Exchange or Fortinet flaws (CVE-2018-13379). PHOSPHORUS ProxyLogon has been the most commonly used exploit for Exchange, which emphasizes the need to patch high-severity vulnerabilities in devices that are connected to the internet because the group has continued to successfully exploit these flaws even recently, long after updates had provided the fixes. Although there have been hints that DEV-0270 has attempted to attack Log4j 2 vulnerabilities, Microsoft has not seen this behavior utilized to spread ransomware against users.

Discovery

The DEV-0270 executes a series of discovery commands to get more information about the environment after gaining access to a company. The target’s domain name can be obtained with the command wmic computersystem get a PHOSPHORUS domain. The net user command is used to add or edit user accounts, and the whoami command is used to show user information. Refer to the Advanced Hunting section for further details on the accounts established and common password combinations DEV-0270 employed.

  • wmic computersystem get domain
  • whoami
  • net user

The actor ran the following command on the compromised Exchange server to gain an understanding of the target environment.

Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders

The actor used the following PowerShell and WMI commands to find domain controllers.

Credentials access

Since employing a LOLBin eliminates the need to use conventional credential theft tools that are more likely to be identified and prevented by antivirus and endpoint detection and response (EDR) solutions, DEV-0270 usually chooses this method to carry out their credential theft. The first step in this process is to enable WDigest in the registry. As a result, passwords are kept on the device in cleartext, saving the actor time by eliminating the need to decipher password hashes.

"reg" add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

The actor then exports passwords from LSASS into a dump file using rundll32.exe and comsvcs.dll’s integrated MiniDump function. The command used to achieve this usually specifies the output to save the LSASS passwords. Additionally, the file name (ssasl.dmp) is reversed to avoid detection:

Screenshot of a PowerShell command.

Persistence

The DEV-0270 actor adds or creates a new user account, typically called DefaultAccount with a password of P@ssw0rd1234, to the device using the command net user /add in order to maintain access in a compromised network. On most Windows systems, the DefaultAccount account is normally a pre-existing account that has been set up but is not active.

The attacker then changes the device’s registry to permit remote desktop (RDP) connections, adds an RDP-permitting firewall rule using netsh.exe, and adds the user to the group of remote desktop users:

"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f
"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
"reg" add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD
"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389

One of the common strategies employed by DEV-0270 in their attempts to keep control of a device is scheduled tasks. The tasks are typically configured to start on boot with the least privilege and load via an XML file, launching a.bat from the command line. The batch file downloads a reverse proxy called dllhost.exe with a new name to keep control of the device even if the company deletes the file from the PHOSPHORUS device.

Screenshot of scheduled tasks used by DEV-0270 actor group in their attacks.
Figure 2. The scheduled task used in the DEV-0270 attacks

Privilege escalation

By injecting their web shell into a privileged process on a vulnerable web server, DEV-0270 may typically get initial access with administrator or system-level privileges. The gang usually already utilizes a privileged account to execute remote commands when they employ Impacket’s PHOSPHORUS WMIExec to migrate to other systems on the network laterally. As noted in the section on credential access, DEV-0270 usually dumps LSASS to get local system credentials and pretends to other local accounts with possible elevated rights.

The establishment or activation of a user account to give it administrator access is another method of privilege escalation utilized by DEV-0270. To establish or enable this account and add it to the administrator’s group for greater privileges, DEV-0270 employs the powershell.exe and net.exe commands.

Defense evasion

To avoid being discovered, DEV-0270 employs a variety of defensive evasion strategies. To stop Microsoft Defender Antivirus from preventing the execution of their modified binaries, threat actors often disable real-time protection. To add the DefaultAccount account to the Administrators and Remote Desktop Users groups, the threat group either creates or activates it. The threat actor group now has access to a valid pre-existing account with elevated, unusual rights thanks to the alteration of the DefaultAccount. Additionally, DEV-0270 loads its root certificate into the local certificate database using powershell.exe. The appearance of a genuine Microsoft-signed certificate has been faked with this custom certificate. The unverified certificate signing chain, however, causes Windows to designate the spoof certificate as illegitimate. With the help of this certificate, the group can encrypt their malicious communications so that they blend in with the network’s normal traffic.

Furthermore, DEV-0270 makes extensive use of native LOLBins to successfully evade detection. To ensure operational security and stealth, the threat group commonly uses registry configurations, native WMI, net, CMD, and PowerShell commands. In order to conceal their presence, they also install and disguise their modified binaries as legitimate processes. They disguise their programs as genuine processes like dllhost.exe, task update.exe, user.exe, and CacheTask. DEV-0270 may terminate legitimate processes using.bat files and powershell.exe, execute their binary under the same process name, and then set up scheduled tasks to guarantee the persistence of their unique binaries.

Lateral movement

It has been observed that DEV-0270 adds defaultaccount to the Remote Desktop Users group and creates it. The group moves laterally, copies tools to the target device, and performs encryption using the RDP connection.

Impacket’s WMIExec is a well-known toolkit that the organization uses for lateral movement in addition to RDP. This was the primary way that they were seen in numerous compromises to switch to other organizational devices, run commands to find more high-value targets, and dump credentials for escalating privileges.

An illustration of a command issued from a distant device utilizing Impacket’s WMIExec:

cmd.exe /Q /c quser 1> \\127.0.0.1\ADMIN$\__1657130354.2207212 2>&1

Impact

BitLocker encryption has been enabled by DEV-0270 using setup.bat commands, making the hosts unusable. DiskCryptor, an open-source full disk encryption system for Windows that enables the encryption of a device’s whole hard drive, is the program the group employs for workstations. DiskCryptor is removed by the group from an RDP connection, and after it is started, the encryption process starts. It does take two reboots to implement this procedure and one more to shut out access to the workstation.

The PowerShell commands for DEV-0270 that utilize BitLocker are as follows:

Screenshot of PowerShell commands.

Microsoft will keep an eye on DEV-0270 and PHOSPHORUS behavior and put protections in place for our clients. Below is a list of the detections, advanced detections, and IOCs that are presently in use across all of our security solutions.

The following steps can be taken to reduce the impact of the DEV-0270 methods:

  • Apply the relevant Exchange Server security patches, which may include solutions for CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. Internal Exchange Server instances that are not patched should be taken care of as soon as possible, even if it is crucial to prioritize patching of internet-facing Exchange servers to mitigate risk in an organized manner.
    • Critical product updates are published for both the most recent Cumulative Update (CU) and the prior CU for Exchange Server instances in Mainstream Support. Only the most recent CU receives critical product updates for Exchange Server instances in Extended Support.
    • To help customers more quickly protect their environment if they don’t have a supported CU, Microsoft is creating an additional series of security updates (SUs) that can be applied to some older and unsupported CUs. For previous Exchange Server Cumulative Updates, see March 2021 Exchange Server Security Updates for information on these updates.
    • The only effective mitigation for these vulnerabilities that have no effect on functionality is installing the updates. Installing the updates does not remove implanted malware or remove the threat actor if they have used these vulnerabilities to install malware.
  • When possible, block RPC and SMB connectivity between devices using your network firewall, Microsoft Defender Firewall, and intrusion prevention systems. The ability to attack laterally and in other ways is so restricted.
  • To limit or prevent network appliances like Fortinet SSL VPN devices from establishing arbitrary connections to the internet in order to browse or download files, check your perimeter firewall and proxy.
  • Enforce secure passwords for local administrators. Use instruments like LAPS.
  • Make that real-time behavior monitoring is turned, on and that Microsoft Defender Antivirus is up to date.
  • Maintain backups so you can restore data from malicious attacks. To stop unwanted apps from editing protected files, use controlled folder access.
  • To block or monitor activities connected with this threat, enable the following attack surface reduction rules:
    • Stop the Windows local security authority subsystem from stealing credentials (lsass.exe)
    • Block PsExec and WMI command-line-based process creations
    • Subscribing to WMI events, prevent persistence. Ensure that real-time behavior monitoring is enabled and that Microsoft Defender for Endpoint is up to date.

PHOSPHORUS: Detection details

Microsoft Defender for Endpoint

Threat activity on your network may be indicated by alerts in the security center with the following titles:

  • Detected malware linked to the DEV-0270 activity group

The following notifications could also be signs of activity linked to this threat. These warnings, however, are not tracked in the status cards included with this report and can be brought on by unrelated threat behavior.

A script with suspicious content was observed Suspicious file dropped by Exchange Server process
A suspicious file was observed Suspicious Modify Registry
Anomalous behavior by a common executable Suspicious Permission Groups Discovery
Lasagne post-exploitation tool Suspicious PowerShell command line
Local Emails Collected Suspicious PowerShell download or encoded command execution
Mimikatz credential theft tool Suspicious Process Discovery
‘Mimilove’ high-severity malware was prevented A suspicious process executed PowerShell command
A new group added suspiciously The suspicious process launched using dllhost.exe
Ongoing hands-on-keyboard attack via Impacket toolkit Suspicious ‘PShellCobStager’ behavior was blocked
Possible Antimalware Scan Interface (AMSI) tampering Suspicious Scheduled Task Process Launched
Possible attempt to discover groups and permissions A suspicious sequence of exploration activities
Possible exploitation of Exchange Server vulnerabilities Suspicious ‘SuspExchgSession’ behavior was blocked
Possible exploitation of ProxyShell vulnerabilities Suspicious System Network Configuration Discovery
Possible web shell installation Suspicious System Owner/User Discovery
Process memory dump Suspicious Task Scheduler activity
Suspicious Account Discovery: Email Account Suspicious User Account Discovery
Suspicious behavior by cmd.exe was observed Suspicious user password change
Suspicious behavior by svchost.exe was observed Suspicious w3wp.exe activity in Exchange
System file masquerade
Suspicious behavior by the Web server process Tampering with the Microsoft Defender for Endpoint sensor
Suspicious Create Account An unusual sequence of failed logons
Suspicious file dropped WDigest configuration change

Hunting queries

Microsoft Sentinel

The following queries can be used by Microsoft Sentinel customers to search for relevant harmful activity in their environments.

DEV-0270 registry IOC

This search shows that the DEV-0270 actor modified the registry to remove ransom notes and disable security features:

DEV-0270 malicious PowerShell usage

At some points during their attack, DEV-0270 makes extensive use of PowerShell to accomplish their goal. A PowerShell activity linked to the actor is located using this query:

DEV-0270 WMIC discovery

This WMIC query finds dllhost.exe and searches the environment for more hosts and related domains:

DEV-0270 new user creation

This search tries to find new users created with a known DEV-0270 username and password schema:

Microsoft 365 Defender

Run the following queries to look for potential actor behavior.

Disable services via registry

Search for programs that disable security features by editing the registry.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(@’”reg”’, ‘add’, @’”HKLM\SOFTWARE\Policies\’, ‘/v’,’/t’, ‘REG_DWORD’, ‘/d’, ‘/f’)
    and InitiatingProcessCommandLine has_any(‘DisableRealtimeMonitoring’, ‘UseTPMKey’, ‘UseTPMKeyPIN’, ‘UseAdvancedStartup’, ‘EnableBDEWithNoTPM’, ‘RecoveryKeyMessageSource’)

Modifying the registry to include a notification for a ransom message

Recognize registry changes that point to a ransom message associated with DEV-0270.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all(‘”reg”’, ‘add’, @’”HKLM\SOFTWARE\Policies\’, ‘/v’,’/t’, ‘REG_DWORD’, ‘/d’, ‘/f’, ‘RecoveryKeyMessage’, ‘Your drives are Encrypted!’, ‘@’)

DLLHost.exe file creation via PowerShell

Identify the PowerShell-made DLLHost.exe file that was disguised.

DeviceProcessEvents
| where InitiatingProcessFileName =~ ‘powershell.exe’
| where InitiatingProcessCommandLine has_all(‘$file=’, ‘dllhost.exe’, ‘Invoke-WebRequest’, ‘-OutFile’)

Add malicious user to Admins and RDP users group via PowerShell

Look for the PowerShell option to add a user to the Administrators group for remote desktop users.

DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')

Email data exfiltration via PowerShell

Identify PowerShell-based email exfiltration.

DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')

Create a new user with a known DEV-0270 username/password

Look for the creation of a new user that has a username and password that match the DEV-0270 specification.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('net user', '/add')
| parse InitiatingProcessCommandLine with * "user " username " "*
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine)
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')

Exclusion path for Microsoft Defender of ProgramData added by PowerShell

Determine PowerShell as the process that excludes the ProgramData directory from Microsoft Defender’s monitoring.

DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_all("try", "Add-MpPreference", "-ExclusionPath", "ProgramData", "catch")

DLLHost.exe WMIC domain discovery

Use WMIC to locate dllhost.exe to find more hosts and related domains.

DeviceProcessEvents
| where InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine == "dllhost.exe"
| where ProcessCommandLine has "wmic computersystem get domain"

Want to know more about Microsoft? Visit our course now. How about PHOSPHORUS Ransomware? We have here covered for you as well.

Explore more about PHOSPHORUS Ransomware Operations by DEV-0270 here in our website.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com