TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Deep Dive: Kaseya VSA Mining Payload

2018-01-30 · Read original ↗

ATT&CK techniques detected

9 predictions
T1053.005Scheduled Task
100%
"the malicious scheduled task. schtasks / create / xml $ file / tn “ $ fulltaskname ” / f updated powershell code on the evening of january 29th, 2018, the attackers updated the powershell command described in this blog to evade kaseya ’ s automated removal procedure. most notably…"
T1053.005Scheduled Task
100%
"malware stores the contents within several registry key values along with another heavily obfuscated powershell script. the data was stored within the following paths : - key : hklm \ software \ microsoft \ powershell \ scripts | value : a - key : hklm \ software \ microsoft \ po…"
T1053.005Scheduled Task
99%
"script cleverly generates a “ random ” name. it does this by combining the path and task name of two legitimate, randomly selected scheduled tasks with the following code : to better illustrate how this works, let ’ s use these examples as the randomly selected scheduled tasks : …"
T1053.005Scheduled Task
98%
"“ start ” ). lastly, the attacker got extra crafty and decided to backdoor one of microsoft ’ s legitimate scheduled tasks : “ sihboot ”. using the scheduled task xml template from the url above, the attacker added an extra exec action which once again runs the malicious powershe…"
T1059.001PowerShell
96%
"namkbc37wtx2mdq / reg _ load _ subsequent. ps1 when run, the script first validates whether its payload is already running. to do this, it gathers the list of running processes and won ’ t execute any further if more than one powershell process is already running. as silly as it …"
T1059.001PowerShell
95%
"deep dive : kaseya vsa mining payload for many of us in the managed services provider market, we were rocked with news of a vulnerability in kaseya ’ s vsa product. the purpose of this blog is to shine technical light on what the huntress threatops team observed and analyzed thus…"
T1059.001PowerShell
69%
"“ start ” ). lastly, the attacker got extra crafty and decided to backdoor one of microsoft ’ s legitimate scheduled tasks : “ sihboot ”. using the scheduled task xml template from the url above, the attacker added an extra exec action which once again runs the malicious powershe…"
T1053.005Scheduled Task
69%
"deep dive : kaseya vsa mining payload for many of us in the managed services provider market, we were rocked with news of a vulnerability in kaseya ’ s vsa product. the purpose of this blog is to shine technical light on what the huntress threatops team observed and analyzed thus…"
T1059.001PowerShell
64%
"the malicious scheduled task. schtasks / create / xml $ file / tn “ $ fulltaskname ” / f updated powershell code on the evening of january 29th, 2018, the attackers updated the powershell command described in this blog to evade kaseya ’ s automated removal procedure. most notably…"

Summary

For many of us in the Managed Services Provider market, we were rocked with news of a vulnerability in Kaseya’s VSA product. The purpose of this blog is to shine technical light on what the Huntress ThreatOps team observed and analyzed thus far.