Certutil was used to download and load the Trickbot DLL into memory. Upon execution, certutil.exe was copied to %programdata% and renamed with random alphanumeric characters. The Trickbot payload came from a phishing campaign associated with BazarCall, delivering weaponized XLSB files. We have observed the same techniques in other intrusions and understanding these techniques will allow defenders to disrupt such intrusion activity and deny it in their own networks. Even though most of the techniques aren’t new or advanced, they have proven to be effective. The Conti operators chose to wait a couple days before ransoming the environment. The threat actors were able to go from initial access to the deployment of Conti ransomware in a matter of hours. In this intrusion, we observed a number of interesting techniques being leveraged by the threat actors. Unfamiliar with BazaCall/BazarCall? Read more here from & and here from & Summary A couple days later, the threat actors came back and executed Conti ransomware across the domain. From there the threat actor discovered the internal network before moving laterally to a domain controller for additional discovery.
The threat actors used BazarCall to install Trickbot in the environment which downloaded and executed a Cobalt Strike Beacon. This report will go through an intrusion that went from an Excel file to domain wide ransomware.