Using One Cyber Attack to Distract Attention from the Real Attack

Fascinating possibility of a hacker group preparing to launch one cyber attack in order to distract the threat response team from a second, more important attack.

On the other hand, this might just be a case of an adversary overthinking things and overcomplicating their attack.

During a client security intelligence service engagement, Dell SecureWorks Counter Threat Unit™ (CTU) analysts discovered the threat actor using a novel technique to distract responders. By the time the client engaged CTU analysts, the adversary had clearly been established within the compromised infrastructure for some time, had acquired and was actively using the credentials of at least one domain administrator account, and was using those credentials to move throughout the infrastructure via the Terminal Services Client. CTU analysts also observed the threat actor accessing several geographically dispersed domain controllers within a relatively short period of time, indicating that extensive reconnaissance and infrastructure mapping had already occurred.

. . .

Placing the malicious executable on one system and the .vbs and .xml files on subsequent domain controllers could have resulted in a devastating mass infection of the infrastructure. If not for a minor misspelling in the ScheduledTasks.xml file, systems across the infrastructure would have been infected during those two days as they joined the domain. This large-scale infection would have presented the IT staff with a significant and potentially overwhelming challenge.

It is likely that the threat actor intended the widespread disruption to distract responders from other malicious activity. The CTU research team recommends that IT administration staff check domain controllers for the existence of ScheduledTasks.xml files and review the content of identified files. These files have legitimate use when knowingly employed within a domain infrastructure, but CTU analysts’ observations indicate that they have also been used to attempt mass deployment of malware.

Leave a Reply