Cybrary Live Exercise

Sample Threat Report

BRC27
Threat Report
Actor Profile

Financially motivated, highly-sophisticated criminal organization that employs advanced

persistent threat TTP's primarily for the purpose of intel gathering and data theft. It specializes
in defrauding health insurance companies and the extortion of its data theft victims. BRC27 is a
determined adversary, willing to work exhaustively to gain a foothold and move silently
through victims’ networks. Thought they have many tools and techniques at their disposal
BRC27 commonly ensures its stealth and persistence by harvesting credentials for
masquerading as legitimate users and abusing commonly permitted, and uninspected,
protocols such as DNS and HTTPS for its C2 and exfil operations.

Reconnaissance

Threat intelligence sources with access to a data dump obtained from BRC27 servers report
that BRC27 performs passive reconnaissance by analyzing company and individual social media
accounts to identify individuals of interest within a desired organization. Typically these
individuals are of C-level rank but also include staff with the highest likelihood of elevated
network access or privilege such as IT managers, operators and engineers. Once BRC27 has
identified a target of interest they begin to also harvest email addresses from public sources
and data dumps available on sites such as Pastebin.

Initial Access

These email addresses are used to conduct a targeted spearphishing campaign where an email
masquerading as communications from the organization’s IT staff is used to entice the victim to
update their VPN profile’s contact information. The email contains a link to the purported
profile page of the organization’s VPN service. When accessed the attackers web service
presents the user with a fake a login page. When a user enters their credentials, they are
stored on the server and a fake profile update page is displayed. Meanwhile, the webserver
silently redirects the client to webpage used to profile and attempt several exploits against the
user’s web browser.

Persistence, Privilege Escalation and Credential Access

Upon successful exploit, the Empire dropper application gets executed in the context of the
web browser process. Its first action is to download additional tools including a Trojan
containing an interactive reverse shell that uses RFC-compliant DNS messages for Command
and Control and exfiltration. The dropper also retrieves the mimikatz credential harvesting
 Cybrary Live Exercise
Sample Threat Report
application and several tools to aid in the discovery and compromise of other potential targets.
ransomware attacks to extract administrator credentials held on thousands of computers.
These credentials were used to facilitate lateral movement and enabled the ransomware to
propagate throughout networks, encrypting the hard drives of numerous systems where these
credentials were valid.

Command and Control

While BRC27 typically has several command and control (C2) options at its disposal it typically
leverages the BONDUPDATER remote access Trojan which uses DNS tunneling to communicate
with its C2. The C2 channel makes use of specially crafted CNAME, MX and TXT queries and
subsequent server responses to exchange commands and data with the C2 server.

• All subdomains contain a randomly generated value to avoid the DNS query resulting in
a cached response
• Uses an initial handshake to obtain a unique system identifier
• Uses hardcoded IP addresses within the DNS answers to start and stop data transfer
• Data upload includes a sequence number that allows the C2 to reconstruct the uploaded
data in the correct order
• CNAME, MX, and TXT query types have been used for various aspects of C2 and
tunneling
• The DNS tunneling protocols generate a significant number of DNS queries to unique
sub-domains of a common parent domain

Lateral Movement and Data Mining

BRC27 has been observed using the Empire post-compromise Framework for a variety of tasks,
most centered around lateral movement within an environment. Emprise makes use of
modules downloaded over the established C2 channel, that provide the threat actors with a
customizable range of options to pursue their goals on the victim's systems. These actions
include escalation of privileges, credential harvesting, host enumeration, key-logging and the
discovery and staging of notable artifacts found on the victim’s system.

Exfiltration

Staying consistent with BRC27’s motif, the threat group maintains several options for
exfiltrating data from a victim’s network. The mechanism of choice is the DNS-based
communications channel established by BONDUPDATER. To exfil data, the attacker issues a
series of DNS queries where base64 data is embedded in the queried sub-domain. This is
augmented with a sequence number so the attacker-controlled C2 server is able to reassemble
the collected data correctly.