Académique Documents
Professionnel Documents
Culture Documents
BRC27
Threat Report
Actor Profile
Reconnaissance
Threat intelligence sources with access to a data dump obtained from BRC27 servers report
that BRC27 performs passive reconnaissance by analyzing company and individual social media
accounts to identify individuals of interest within a desired organization. Typically these
individuals are of C-level rank but also include staff with the highest likelihood of elevated
network access or privilege such as IT managers, operators and engineers. Once BRC27 has
identified a target of interest they begin to also harvest email addresses from public sources
and data dumps available on sites such as Pastebin.
Initial Access
These email addresses are used to conduct a targeted spearphishing campaign where an email
masquerading as communications from the organization’s IT staff is used to entice the victim to
update their VPN profile’s contact information. The email contains a link to the purported
profile page of the organization’s VPN service. When accessed the attackers web service
presents the user with a fake a login page. When a user enters their credentials, they are
stored on the server and a fake profile update page is displayed. Meanwhile, the webserver
silently redirects the client to webpage used to profile and attempt several exploits against the
user’s web browser.
Upon successful exploit, the Empire dropper application gets executed in the context of the
web browser process. Its first action is to download additional tools including a Trojan
containing an interactive reverse shell that uses RFC-compliant DNS messages for Command
and Control and exfiltration. The dropper also retrieves the mimikatz credential harvesting
Cybrary Live Exercise
Sample Threat Report
application and several tools to aid in the discovery and compromise of other potential targets.
ransomware attacks to extract administrator credentials held on thousands of computers.
These credentials were used to facilitate lateral movement and enabled the ransomware to
propagate throughout networks, encrypting the hard drives of numerous systems where these
credentials were valid.
While BRC27 typically has several command and control (C2) options at its disposal it typically
leverages the BONDUPDATER remote access Trojan which uses DNS tunneling to communicate
with its C2. The C2 channel makes use of specially crafted CNAME, MX and TXT queries and
subsequent server responses to exchange commands and data with the C2 server.
• All subdomains contain a randomly generated value to avoid the DNS query resulting in
a cached response
• Uses an initial handshake to obtain a unique system identifier
• Uses hardcoded IP addresses within the DNS answers to start and stop data transfer
• Data upload includes a sequence number that allows the C2 to reconstruct the uploaded
data in the correct order
• CNAME, MX, and TXT query types have been used for various aspects of C2 and
tunneling
• The DNS tunneling protocols generate a significant number of DNS queries to unique
sub-domains of a common parent domain
BRC27 has been observed using the Empire post-compromise Framework for a variety of tasks,
most centered around lateral movement within an environment. Emprise makes use of
modules downloaded over the established C2 channel, that provide the threat actors with a
customizable range of options to pursue their goals on the victim's systems. These actions
include escalation of privileges, credential harvesting, host enumeration, key-logging and the
discovery and staging of notable artifacts found on the victim’s system.
Exfiltration
Staying consistent with BRC27’s motif, the threat group maintains several options for
exfiltrating data from a victim’s network. The mechanism of choice is the DNS-based
communications channel established by BONDUPDATER. To exfil data, the attacker issues a
series of DNS queries where base64 data is embedded in the queried sub-domain. This is
augmented with a sequence number so the attacker-controlled C2 server is able to reassemble
the collected data correctly.