Simple Netcat Backdoor in Python Script, (Sat, Sep 30th)

This post was originally published on this site

Why reinvent the wheel? We are all lazy and, if we have a tool that offers some interesting capabilities, why not use it? I spotted a simple maliciouis Python script targeting Windows hosts. The file (SHA256:d706d94981bc53ab1458519f224b9602152325fc2a18f3df9d9da8f562b99044) is flagged by 16 antivirus products on VirusTotal[1]. Nothing very exciting with the script, it's a bot that uses a Discord channel for C2 communications. 

Are You Still Storing Passwords In Plain Text Files?, (Fri, Sep 29th)

This post was originally published on this site

"Infostealer" malware have been in the wild for a long time now. Once the computer's victim is infected, the goal is to steal "juicy" information like passwords, cookies, screenshots, keystrokes, and more. Yesterday, I spotted an interesting sample. It's delivered through an FTP connection. The file (SHA256:2bf9a44bd546e0fd1448521669136220dc49146b0f3a5cd7863698ac79b5e778) is unknown on VirusTotal.

People's Republic of China-Linked Cyber Actors Hide in Router Firmware

This post was originally published on this site

Executive Summary

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: [PDF, 808 KB]

Technical Details

This advisory uses the MITRE® ATT&CK® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.


Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows®, Linux®, and FreeBSD® operating systems. Custom malware families employed by BlackTech include:

  • BendyBear [S0574]
  • Bifrose
  • BTSDoor
  • FakeDead (a.k.a. TSCookie) [S0436]
  • Flagpro [S0696]
  • FrontShell (FakeDead’s downloader module)
  • IconDown
  • PLEAD [S0435]
  • SpiderPig
  • SpiderSpring
  • SpiderStack
  • WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

Table 1: File types to compromise the router

File Type


Old Legitimate Firmware

The IOS image firmware is modified in memory to allow installation of the Modified Firmware and Modified Bootloader.

Modified Firmware

The firmware has a built-in SSH backdoor, allowing operators to have unlogged interaction with the router.

Modified Bootloader

The bootloader allows Modified Firmware to continue evading the router’s security features for persistence across reboots. In some cases, only modified firmware is used.

BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

  1. Download old legitimate firmware.
  2. Set the router to load the old legitimate firmware and reboot with the following command(s):

    config t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]

  3. Download the modified bootloader and modified firmware.
  4. Set the router to load the modified firmware with the following command(s):
    conf t
    no boot system usbflash0 [filename]
    boot system usbflash0 [filename]
  5. Load the modified bootloader (the router reboots automatically) with the following command:
    upgrade rom file bootloader
  6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.
Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

  • Disable outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
    Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
  • Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
  • When there is a concern that a single password has been compromised, change all passwords and keys.[3]
  • Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
  • Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
  • Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices,
[2]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,
[3]    NSA, Network Infrastructure Security Guide,
[4]    NSA, Performing Out-of-Band Network Management, 
[5]    Cisco, Attackers Continue to Target Legacy Devices,

Disclaimer of endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.


This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.


NSA Cybersecurity Report Questions and Feedback: 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: 
NSA Media Inquiries / Press Desk: 443-634-0721,

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at,, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

Table 2: BlackTech ATT&CK Techniques for Enterprise – Resource Development

Technique Title



Obtain Capabilities: Code Signing Certificates


BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.

Table 3: BlackTech ATT&CK Techniques for Enterprise – Initial Access

Technique Title



Initial Access


BlackTech actors gain access to victim networks by exploiting routers.

Trusted Relationship


BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.

Table 4: BlackTech ATT&CK Techniques for Enterprise – Persistence

Technique Title





BlackTech actors gain persistent access to victims’ networks.

Traffic Signaling


BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.

Pre-OS Boot: ROMMONkit


BlackTech actors modify router firmware to maintain persistence.

Table 5: BlackTech ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title



Privilege Escalation


BlackTech actors gain elevated privileges on a victim’s network.

Table 6: BlackTech ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title



Defense Evasion


BlackTech actors configure their tools to evade detection by security software and EDR.

Modify Registry


BlackTech actors modify the victim’s registry.

Impair Defenses


BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.

Impair Defenses: Impair Command History Logging


BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.

Modify System Image: Patch System Image


BlackTech actors modify router firmware to evade detection.

Table 7: BlackTech ATT&CK Techniques for Enterprise – Discovery

Technique Title





BlackTech actors use SNScan to enumerate victims’ networks and obtain further network information.

Table 8: BlackTech ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title



Remote Services: Remote Desktop Protocol


BlackTech actors use RDP to move laterally across a victim’s network.

Remote Services: SSH


BlackTech actors use SSH to move laterally across a victim’s network.

Table 9: BlackTech ATT&CK Techniques for Enterprise – Command and Control

Technique Title



Command and Control


BlackTech actors compromise and control a victim’s network infrastructure.

Application Layer Protocol: File Transfer Protocols


BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.



BlackTech actors use compromised routers to proxy traffic.

PowerShellGet 3.0.22-beta22 is now available

This post was originally published on this site

The latest preview of PowerShellGet is now available on the PowerShell Gallery. In this new preview version of PowerShellGet, PowerShellGet is a compatibility module that allows use of PowerShellGet 2.x (and below) cmdlet syntax with PSResourceGet functionality by making a best effort mapping between the cmdlet interfaces of both versions of the module. This module is a continuation of the CompatPowerShellGet project, but will now be shipping under the PowerShellGet module name.

How to install the module

To install from PSResourceGet (which is included in PowerShell 7.4 Preview 5)

Install-PSResource PowerShellGet -Prerelease

To install from PowerShellGet 2.2.5

Install-Module -Name PowerShellGet -AllowPrerelease -Force -AllowClobber

Note that Microsoft.PowerShell.PSResourceGet is also required to use this module,but it is not listed as a dependency as it is still in prerelease.

Expectations for the module

PowerShellGet is a compatibility module that allows use of PowerShellGet 2.x (and below) cmdlet syntax with PowerShellGet 3.0 (and newer) functionality by making a best effort mapping between the cmdlet interfaces of both versions of the module. For example, if a user has the PowerShellGet module installed and runs the command Install-Module PowerShellGet -AllowPrerelease PowerShellGet module will get auto loaded into the PowerShell Session and will map the command to PSResourceGet syntax Install-PSResource PowerShellGet -Prerelease The command will then be executed by the PowerShellGet 3.0 implementation.

This module is designed so that users will not need to immediately update their scripts in order to update to the latest version of PowerShellGet or to begin taking advantage of the performance improvements already available in PSResourceGet. We still do recommend that authors begin making the changes required to update their scripts to the new cmdlet interface if they would like to take advantage of the new features available in PSResourceGet (described in other blogs).

This compatibility module is designed so that it takes precedence over legacy versions of PowerShellGet. If you have this compatibility module installed and would not like it to be used, you can remove it from the PowerShell session using the Remove-Module command.

Please note that this flow is only possible if the user has both the PowerShellGet module installed and the Microsoft.PowerShell.PSResourceGet module installed. Once PSResourceGet is generally available it will be a dependency of future versions of PowerShellGet.


This module is expected to ship in PowerShell 7.5. We expect this module to reach GA in the early PowerShell 7.5 timeframe to maximize opportunity for quality feedback. We do not expect to introduce new features to this module, all new features will be designed in Microsoft.PowerShell.PSResourceGet. Some new features may work in this module as a side effect.

Going forward we do not plan to do any future releases of the CompatPowerShellGet module, all releases will be under the PowerShellGet name.

How to give feedback or get support

This version of the module is still in preview, meaning that bugs are expected. We really appreciate any feedback on the module. If you have any bug reports, questions, or suggestions for features please open up a bug report in the PowerShellGet repository.


PowerShell team

The post PowerShellGet 3.0.22-beta22 is now available appeared first on PowerShell Team.

What's Normal? DNS TTL Values, (Wed, Sep 20th)

This post was originally published on this site

I am trying to start a series of brief diaries about "what's normal." Analysts often only look at the network when they suspect something is wrong. But to find the anomaly, someone must first know what's normal. So, I am trying to collect data from my home network to show what to consider. The values I am presenting here are normal for my home network and will likely differ for your network. So, instead of just copying/pasting, run the experiment yourself 🙂

Obfuscated Scans for Older Adobe Experience Manager Vulnerabilities, (Tue, Sep 19th)

This post was originally published on this site

Adobe Experience Manager (AEM) is a complex enterprise-level content management system built around open-source products like Apache Sling, Jackrabbit/Oak, and Felix. Just last week, Adobe patched another XSS vulnerability in AEM. But the scans we see now target older vulnerabilities, likely a vulnerability 2-3 years old.

#StopRansomware: Snatch Ransomware

This post was originally published on this site


Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

(PDF, 578.71 KB

For a downloadable copy of IOCs, see:

(XML, 79.84 KB
(JSON, 56.10 KB


Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.

Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]

Initial Access and Persistence

Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].

Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].

Data Discovery and Lateral Movement

Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].

Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].

Defense Evasion and Execution

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].

The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.

Indicators of Compromise (IOCs)

The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.

Email Domains and Addresses

Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:

Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors

Email Domains




Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.

Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors

Email Domains

tutanota[.]com / tutamail[.]com / tuta[.]io



protonmail[.]com / proton[.]me


The email addresses listed in Table 3 were reported by recent victims.

Table 3: Snatch’s Email Addresses Reported by Recent Victims

Email Addresses[.]me







TOX Messaging IDs

TOX Messaging IDs





NOTE: According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.

Folder Creation

Folder Creation


Filenames with Associated SHA-256 Hashes










































Filenames with Associated SHA-1 Hashes





Commands Used by Snatch Threat Actors


wmiadap.exe /F /T /R

%windir%System32svchost.eve –k WerSvcGroup

conhost.exe 0xFFFFFFFF -ForceV1

vssadmin delete shadows /all /quiet

bcdedit.exe /set {current} safeboot minimal

REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service

REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service

REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions

%CONHOST% “1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320

“C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –flag-switches-begin –flag-switches-end –no-startup-window /prefetch:5

cmd /d /c cmd /d /c cmd /d /c start ” ”

Registry Keys

Registry Keys

HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName

HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964-
48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF

System Log Changes




Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”

Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall

A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.


Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe)

Mutexes Created

Mutexes Created








See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance

Technique Title



Gather Victim Network Information


Snatch threat actors may gather information about the victim’s networks that can be used during targeting.

Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development

Technique Title



Acquire Infrastructure: Virtual Private Server


Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.

Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access

Technique Title



Valid Accounts


Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.

External Remote Services


Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network.

Snatch threat actors use VPN services to connect to a victim’s network.

Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution

Technique Title



Command and Scripting Interpreter: Windows Command Shell


Snatch threat actors may use batch files (.bat) during ransomware execution and data discovery.

System Services: Service Execution


Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used sc.exe.

Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence

Technique Title



Valid Accounts: Domain Accounts


Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.

Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title





Snatch threat actors have the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection.

Indicator Removal: File Deletion


Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.

Modify Registry


Snatch threat actors modify Windows Registry keys to aid in persistence and execution.

Impair Defenses: Disable or Modify Tools


Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.

Impair Defenses: Safe Mode Boot


Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.

Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access

Technique Title



Brute Force: Password Guessing


Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.

Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery

Technique Title



Query Registry


Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Process Discovery


Snatch threat actors search for information about running processes on a system.

Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement

Technique Title



Remote Services: Remote Desktop Protocol


Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.

Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection

Technique Title



Data from Local System


Snatch threat actors search systems to find files and folders of interest prior to exfiltration.

Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control

Technique Title



Application Layer Protocols: Web Protocols


Snatch threat actors establish connections over port 443 to blend C2 traffic in with other web traffic.

Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration

Technique Title





Snatch threat actors use exfiltration techniques to steal data from a victim’s network.

Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact

Technique Title



Data Encrypted for Impact


Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Inhibit System Recovery


Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.


These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
    • Using security software to detect instances of remote access software being loaded only in memory.
    • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Implement application controls to manage and control execution of software, including allowlisting remote access programs.
    • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Disable command-line and scripting activities and permissions [CPG 2.N].
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Reduce the threat of credential compromise via the following:
    • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Refrain from storing plaintext credentials in scripts.
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports and protocols [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].


In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4-16).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.



The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at, a local FBI Field Office, or to CISA at or (888) 282-0870.




The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.


September 20, 2023: Initial version.

10 Top New Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop from August, 2023: 

This post was originally published on this site
KB articles VMware

Tweet Discover the top 10 new articles for Horizon, Workspace ONE, End User Computing (EUC), and Personal Desktop from August 2023. These articles cover a range of important topics and resolutions, including issues with Workspace ONE UEM application pools and services failing to start, problems with editing or creating DDUI profiles in Workspace ONE UEM, decoding … Continued

10 Top New Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop from August, 2023: 

This post was originally published on this site
KB articles VMware

Tweet Discover the top 10 new articles for Horizon, Workspace ONE, End User Computing (EUC), and Personal Desktop from August 2023. These articles cover a range of important topics and resolutions, including issues with Workspace ONE UEM application pools and services failing to start, problems with editing or creating DDUI profiles in Workspace ONE UEM, decoding … Continued

The post 10 Top New Articles for Horizon, WorkspaceONE, End User Computing (EUC), Personal Desktop from August, 2023:  appeared first on VMware Support Insider.

10 Top New Articles for HCX, SaaS, EPG Emerging Products Group from August, 2023: 

This post was originally published on this site
KB articles VMware

Tweet Discover the latest insights and solutions for VMware’s emerging products group (EPG) in our August 2023 roundup. From addressing network connectivity issues in Windows Virtual Machines to optimizing migration scalability in HCX, these articles offer valuable guidance. Learn how to resolve problems like private key exposure in NSX-T syslog, firewall rule issues in NSX-T … Continued