OnePercent Group Ransomware Campaign

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Laksh Sethi

 

1. Executive Summary

On 23 August, the Federal Bureau of Investigation (FBI) released a flash alert1 about an ongoing campaign conducted by the OnePercent Group: a group that has been using Cobalt Strike to launch ransomware attacks against U.S. companies since November 2020. The alert also provides a list of indicators of compromise (IOCs) associated with the campaign.

2. Analysis

The actors use phishing emails with a malicious ZIP attachment that contains a Microsoft Word or Excel file. Opening the attachment activates macros that infect a victim’s computer with the IcedID banking trojan.2 When the actors activate the trojan (in some cases a month after the infection), it installs and runs Cobalt Strike, which uses PowerShell remoting to migrate laterally to other systems on the infected network. The actors then employ rclone,3 a Windows-native backup utility, to encrypt and exfiltrate data from the victim’s systems.

Somewhere on the infected network, the actors leave a ransom note and contact information, which is a link to the actors’ website accessible through the Onion Router (TOR)4 application. The note demands that the organization pay the ransom to a Bitcoin address controlled by the group. The note also states that the actors will provide the decryption key within 48 hours of receiving the payment they have demanded.

After the actors contact the organization, they wait for a week, and then proceed to barrage the organization with phone calls and emails. In addition, they repeatedly demand that the person who initially opened the attachment connect them with the organization’s designated negotiator. If the organization does not respond within a week, the actors send ProtonMail email and make calls from spoofed phone numbers to warn the organization that unless the ransom is paid, the exfiltrated data will be leaked via the TOR network and clearnet. If the organization fails to respond, the actors start leaking the exfiltrated data in small increments, until they receive a response or payment.
The actors use the following tools:

  • AWS S3 cloud
  • IcedID
  • Cobalt Strike
  • PowerShell
  • rclone
  • Mimikatz5
  • SharpKatz6
  • BetterSafetyKatz7

3. Prevention and Mitigation

The following measures should help prevent or mitigate an attack by the OnePercent Group:

  • Implement a filter against and be suspicious of all hashes that might be associated with rclone (see the IOCs in the table below).
  • Ensure that administrators are not using Admin Approval mode.
  • Implement Microsoft Local Administrator Password Solution (LAPS), if possible.
  • Ensure that copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from a compromised network.
  • Secure backups, and ensure that original data cannot be accessed, modified, or deleted.
  • Keep computers, devices, and applications patched and up to date.
  • Consider adding an email banner to email received from outside your organization.
  • Disable unused remote access and Remote Desktop Protocol (RDP) ports, and monitor remote access and RDP logs.
  • Audit administrative user accounts regularly.
  • When configuring access controls, apply the principle of least privilege (PoLP).
  • Implement network segmentation.
  • Use multi-factor authentication with strong passphrases.

4. Indicators of Compromise

The FBI believe that the following IOCs are linked to this conduct:

Indicators Description
157[.]245[.]239[.]187
80[.]82[.]67[.]221
167[.]71[.]224[.]39
31[.]187[.]64.[.]199
134[.]209[.]203[.]30
138[.]197[.]179[.]153
206[.]189[.]227[.]145		 Related IPs
june85[.]cyou
golddisco[.]top
intensemisha[.]cyou
delokijio[.]pw
biggarderoub[.]cyou
d30qpb9e10re4o[.]cloudfront[.]net
nix1[.]xyz		 Related domains
ECA9FAC6848545FF9386176773810F96323FEFF0D575C4B6E1C55F8DB842E7FE
E70ED531C8A12E7ECCE83223D7B9AA1895110DC140EDF85AFC31C8C5CD580116		 Related hashes
hxxp://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad[.]onion TOR URL
bc1qds0yly3fn608gtm332gag029munvlute2wxktn BTC address
1percentransomware@protonmail[.]com Email address

Endnotes

  1. https://www.ic3.gov/Media/News/2021/210823.pdf
  2. https://www.cisecurity.org/white-papers/security-primer-icedid/
  3. https://en.wikipedia.org/wiki/Rclone
  4. https://en.wikipedia.org/wiki/Tor_(network)
  5. https://doubleoctopus.com/security-wiki/threats-and-tools/mimikatz/
  6. https://github.com/b4rtik/SharpKatz
  7. https://github.com/Flangvik/BetterSafetyKatz
  8. https://github.com/cobbr/SharpSploit

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×