Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:
Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:
Hacktool.EdRSilencer/EDRStealer: A malicious tool designed to disable Endpoint Detection and Response (EDR) solutions to neutralize security mechanisms that monitor and analyze endpoint behavior, making it easier to deploy additional malware or conduct unauthorized activities undetected. It operates by either terminating them or modifying their configurations to render them ineffective. The tool may also steal authentication tokens or credentials from compromised systems, enabling lateral movement across networks.
Hacktool.Lazagne/Clyp: A credential-stealing tool designed to extract sensitive information, such as usernames, passwords, and authentication tokens, from compromised systems and is often leveraged to gain unauthorized access to user accounts, escalate privileges, and facilitate further malicious activities within targeted environments. It works by targeting locally stored credentials in applications, web browsers, email clients, databases, and password management tools and exploits insecure credential storage mechanisms, decrypting or exposing encrypted data using known algorithms or vulnerabilities. It is a favorite among attackers due to its modular architecture and ease of use. In many cases, it is used alongside other tools to expand an attacker’s foothold, enabling lateral movement within a network or deploying additional payloads, such as ransomware or keyloggers.
Hacktool.MailBruter/MailHack: A malicious tool designed to compromise email accounts by brute-forcing credentials or exploiting vulnerabilities in email servers and services and is used to gain unauthorized access to email accounts, which can then be leveraged for spam campaigns, phishing attacks, or further infiltration of targeted organizations. It systematically attempts a vast number of username-password combinations, exploiting weak or reused credentials. Some variants are equipped with advanced features, such as evading detection by throttling attempts, using proxy servers to mask activity, or integrating exploits for known vulnerabilities in email protocols like SMTP, IMAP, or POP3. Attackers can use it to distribute malware, steal sensitive information, or impersonate the account owner in targeted spear-phishing campaigns.
Hacktool.Netscan/NetTool: A utility commonly used by attackers to scan networks and identify connected devices, open ports, and services running on a target system. While network scanning tools are often legitimate utilities employed by IT professionals for troubleshooting and security assessments, malicious actors frequently misuse them to gather reconnaissance data for cyberattacks. This tool generates detailed reports of network topology, device configurations, and accessible resources. Many variants include additional features, such as banner grabbing to identify software versions or plugins for exploiting known vulnerabilities in real-time. This tool is often deployed during the initial phases of a cyberattack, serving as a precursor to activities like exploitation, lateral movement, or data exfiltration.
Hacktool.sharphound/msil: A powerful reconnaissance tool commonly used by attackers to map Active Directory (AD) environments. It is part of the BloodHound toolkit, which is widely employed by both security professionals during penetration testing and malicious actors in advanced cyberattacks. Written in .NET (Microsoft Intermediate Language), it is efficient and versatile for gathering data from Windows-based systems. This tool is designed to extract detailed information about AD structures, including user permissions, group memberships, trust relationships, and other configurations. It enables attackers to identify potential pathways for privilege escalation, lateral movement, or domain dominance within a network. It collects this data through various methods, such as querying AD services, using LDAP (Lightweight Directory Access Protocol), or exploiting compromised user credentials. Once the data is collected, it is uploaded to BloodHound for visualization, where it is analyzed to find attack paths.
Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:
Trojan/Backstab.killav: A type of malware specifically designed to disable antivirus (AV) and security solutions on a targeted system which allows attackers to deploy additional malware, such as ransomware, spyware, or keyloggers, without triggering detection or prevention protocols. It typically works by terminating processes associated with antivirus software, modifying system registry entries to disable startup protections, or exploiting vulnerabilities within the AV software itself. In some cases, it uses privilege escalation techniques to bypass administrative controls and ensure persistence. Advanced variants may also block updates to security software, rendering systems defenseless against emerging threats. Once active, it prepares the system for deeper compromise by erasing logs, masking malicious activity, and opening pathways for lateral movement within a network.
Trojan.Emotetu/Buecsvii: A sophisticated and highly modular Trojan that has evolved into one of the most dangerous malware strains in the cyber threat landscape. Originally designed to steal financial credentials, this Trojan now serves as a multi-functional malware loader, enabling distribution of additional payloads such as ransomware, spyware, and other Trojans. Once executed, it establishes persistence on the infected system, connects to a command-and-control (C2) server, and downloads additional modules tailored to the attacker’s objectives. These modules may include data exfiltration, credential theft, or lateral movement tools to expand the infection within a network. What sets it apart is its ability to adapt and evade detection through advanced obfuscation techniques, such as polymorphic code and encrypted communication with its C2 servers.
Trojan.Sirefef/Zeroaccess: A highly stealthy Trojan that is primarily known for its ability to establish a botnet, distribute other malware, and conduct click fraud or cryptocurrency mining. It operates by exploiting vulnerabilities in systems to gain unauthorized access and establish persistence. Once installed, it often modifies the Master Boot Record (MBR) or system drivers, making it difficult to detect and remove. The Trojan uses a peer-to-peer (P2P) communication protocol, allowing infected systems to function as part of a decentralized botnet that can evade traditional command-and-control (C2) server takedowns. Once active, it performs a variety of malicious tasks, such as downloading additional payloads, redirecting web traffic for click fraud, or utilizing system resources for cryptocurrency mining, which can severely degrade system performance.
Trojan.Hesperbot/Foreign: An advanced Trojan designed to steal sensitive financial information and facilitate unauthorized access to online banking accounts. Known for its sophisticated features and stealthy behavior, it establishes persistence on the infected system, often using rootkit components to avoid detection and is equipped with a wide array of malicious capabilities, including keylogging, screen capturing, video recording, and form grabbing, allowing attackers to collect login credentials and other sensitive data. One of its standout features is the ability to inject malicious code into legitimate banking sessions, redirecting victims to fake login pages or prompting them to download additional malware, enabling attackers to bypass multi-factor authentication (MFA) and compromise accounts even on secure platforms. The modular design and encrypted communication with its command-and-control (C2) servers make it highly adaptable and difficult to detect.
Trojan.Mediyes/Rootkit: A stealthy and highly dangerous piece of malware designed to infiltrate systems, establish deep persistence, and enable attackers to carry out a variety of malicious activities while evading detection. Combining the capabilities of a Trojan and a rootkit, Mediyes can remain hidden within an infected system while providing attackers with backdoor access and control. Once executed, it installs itself at the kernel level, modifying system processes and critical files to mask its presence, and its functionality allows it to intercept and manipulate system calls, effectively hiding files, processes, and network activities from both users and security tools. The Trojan component of Mediyes facilitates data theft, including capturing sensitive information like credentials and payment details. It can also enable attackers to inject malicious code into web traffic, redirecting victims to phishing sites or facilitating click fraud and may serve as a downloader for additional malware payloads, amplifying its impact.
Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:
Trojan.lockbit/fragtor: A highly sophisticated and destructive ransomware variant associated with the LockBit ransomware group known for its rapid encryption speed and evolving techniques. Once executed, the payload disables security tools, terminates processes, and encrypts files on infected systems, appending a unique extension to the encrypted files. What sets LockBit/Fragtor apart is its advanced capabilities, including anti-analysis mechanisms such as code obfuscation, sandbox evasion, and self-destruction features. It often spreads laterally within networks by exploiting weak credentials, unprotected RDP (Remote Desktop Protocol) connections, or privilege escalation techniques. The Trojan’s modular design allows attackers to customize payloads, making it adaptable to various attack scenarios.
Trojan.phobos/zusy: A dangerous and highly adaptable ransomware associated with ransomware campaigns and financial theft observed in various attack campaigns targeting a wide range of industries. Once executed, it establishes persistence on the infected system, encrypts critical files, and appends a unique extension. In addition to ransomware capabilities, some variants include information-stealing functions, such as capturing credentials, browser data, and payment details. It uses sophisticated evasion techniques, such as code obfuscation and sandbox detection to avoid detection by antivirus software, and disables system restore points, making recovery more challenging.
Ransomware.lockbit/blackmatter: A sophisticated and highly destructive ransomware strain known for its efficiency, stealth, and adaptability, it combines features from both the LockBit and BlackMatter ransomware families, making it a formidable threat. Once inside, the ransomware spreads laterally, exploiting privilege escalation and weak network segmentation to gain control of critical infrastructure and encrypts files rapidly. A defining feature is its ability to disable security solutions, delete backups, and evade detection using advanced obfuscation techniques. It often exfiltrates data before encryption, enabling attackers to threaten victims with data leaks if ransom demands are not met—known as double extortion.
Ransomware.akira/dacic: A potent ransomware strain associated with the Akira ransomware group known for its aggressive tactics and evolving techniques that scans the network for critical assets, disables security tools, and encrypts files with strong encryption algorithms, appending a distinct extension to the affected files. Its advanced capabilities include data exfiltration before encryption, making victims susceptible to data exposure even if backups are available, and its stealth features, such as process obfuscation and evasion of antivirus tools, allow it to bypass traditional security measures.
Ransomware.incransom/imps: A ransomware variant known for its stealthy infection methods and aggressive extortion tactics associated with the INC ransomware group. Once it infiltrates a system, it encrypts files using strong encryption algorithms, rendering them inaccessible. A unique feature is its ability to disable security defenses and delete shadow copies, making file recovery difficult without backups. Some versions also include double extortion tactics, where attackers exfiltrate sensitive data before encryption and threaten to publish or sell it if the ransom is not paid.
