CSIS LOGO
CSIS Portal
Under Attack?

CSIS RESEARCH – DragonForce Ransomware TTPs

DragonForce is a fast-growing ransomware group leveraging the ransomware-as-a-service (RaaS) model. This post examines their tactics, techniques, and procedures (TTPs), including trusted relationships for initial access, AnyDesk for persistence, and custom tools for exfiltration.
Tech Blog

Summary

tl;dr

DragonForce is a fast-growing ransomware group, first observed in March 2023, that deploys ransomware using the ransomware-as-a-service (RaaS) business model.

This post explores the TTPs employed by the group who were observed deploying DragonForce ransomware during a recent incident response engagement.

In summary, CSIS identified the following key TTPs:

  • Trusted relationship exploited for initial access
  • AnyDesk and RMM tool used for persistence
  • Custom tool used for exfiltration
  • Fileseek used for file discovery

DragonForce TTPs:

Initial Access

The threat actor gained access to the network by exploiting a remote management software installed by a previous hosting company. When the target organisation switched providers, they failed to remove the administration tools by the previous hosting provider. These tools were then utilised by the threat actor to reset a domain administrator password, this account was then used for remote access via the administrator tools.

Execution

Windows PowerShell was used to move the file “winupdate.exe” (data exfiltration software) to C:\windows\system32\ folder and execute it afterwards.

Persistence

The threat actor installed the remote access tool AnyDesk to maintain persistence.

Discovery

The threat actor used the software FileSeek[1] to create a file of files to exfiltrate.

Exfiltration

The threat actor successfully exfiltrated data from the network using a custom tool named winupdate.exe, which is written in GoLang based on the Restic library.

Impact

DragonForce‘s main objective is the exfiltration of sensitive data as well as encryption, commonly referred to as double extortion.

Indicators of Compromise

Indicator of compromise

Indicator type

Description

C:\Users\Public\Documents\Winupdate.exe

File Name

Exfiltration tool

C:\Windows\system32\Winupdate.exe

File Name

Exfiltration tool

FileSeek.exe

File Name

File discovery tool

C:\Users\Public\Documents\new.txt

File Name

File list to exfiltrate

 

Mitre Att&ck

Tactic

Technique

IT

Description

Initial Access

Trusted Relationship

T1199

Initial access was via remote administration tools left on the system from a previous supplier.

Execution

Command and Scripting Interpreter: PowerShell

T1059.001

Threat actor utilised PowerShell to execute malicious commands.

Persistence

Create or Modify System Process: Windows Service

T1543.003

Threat actor installed remote desktop software tools as services for persistence

Discovery

T1083

File and Directory Discovery

FileSeek was used for file discovery.

Exfiltration

T1657

Data exfiltration for Impact

The threat actor used a custom tool for exfiltration.

Impact

T1486

Data Encrypted for Impact

DragonForce Ransomware was deployed.

 

[1] https://www.fileseek.ca/Download/
CSIS

Related articles

04.04.2024
CSIS RESEARCH - Acrobat Reader Connector Icons
Acrobat Reader Connector Icons Leveraging Acrobat Reader’s thumbnail cache during DFIR Dénes Olivér Óvári, Detection...
Tech Blog
3 Minute read
18.12.2023
CSIS RESEARCH - Credential Misuse & Identity Theft
Credential Misuse & Identity Theft Credential Misuse and Identity-Based Attack Vectors Dénes Olivér Óvári, Detection...
Tech Blog
2 Minute read
09.11.2023
CSIS RESEARCH - Windows Covert Compilers III
Windows Covert Compilers III. DFIR ARTIFACTS Dénes Olivér Óvári, Detection and Response Architect CSIS Security Group...
Tech Blog
1 Minute read
CSIS Security Group A/S is a member of the Allurity family. Learn More.