Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

Event ID4521
UUID761270e6-3a97-4c18-9a44-a844cb5b562b 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagstype:OSINTx osint:lifetime=”perpetual”x osint:certainty=”50″x tlp:whitex osint:source-type=”blog-post”x misp-galaxy:mitre-attack-pattern=”Scheduled Task – T1053″x misp-galaxy:mitre-attack-pattern=”Standard Non-Application Layer Protocol – T1095″x misp-galaxy:ransomware=”Lorenz Ransomware”x dnc:malware-type=”Ransomware”x enisa:nefarious-activity-abuse=”ransomware”x ecsirt:malicious-code=”ransomware”x malware_classification:malware-category=”Ransomware”x veris:action:malware:variety=”Ransomware”x Ransomwarex ms-caro-malware:malware-type=”Ransom”x ms-caro-malware-full:malware-type=”Ransom”x   
Date2022-09-12
Threat LevelUndefined
AnalysisInitial
DistributionAll communities   
PublishedYes 2022-11-01 06:55:37
#Attributes61 (18 Objects)
First recorded change2022-09-15 07:43:15
Last change2022-10-24 09:22:25
Modification map
Sightings0 (0) – restricted to own organisation only.  

Order by dateOrder by count

Related Events

LUNCHBOXSSH Bruteforce IPs feed
2022-10-071
LUNCHBOXTelnet Bruteforce IPs feed
2022-10-031
LUNCHBOXIPsum (aggregation of all feeds) – level 1 – lot of false positives feed
2022-09-211
CUDESOChiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free
2022-09-2111

Related Feeds (show)

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

4521: Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

Galaxies

Attack Pattern 

  •  Modify Registry – T1112   
  •  Obfuscated Files or Information – T1027   
  •  System Network Configuration Discovery – T1016   
  •  File and Directory Discovery – T1083   
  •  Remote Desktop Protocol – T1021.001   
  •  Domain Accounts – T1078.002   
  •  Security Software Discovery – T1518.001   
  •  Web Shell – T1505.003   
  •  LSASS Memory – T1003.001   
  •  Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – T1048.002   
  •  Scheduled Task – T1053.005   
  •  PowerShell – T1059.001   
  •  Windows Command Shell – T1059.003   
  •  Clear Windows Event Logs – T1070.001   
  •  Local Accounts – T1078.003   
  •  Proxy – T1090   
  •  Exploit Public-Facing Application – T1190   
  •  Data Encrypted for Impact – T1486   
  •  System Shutdown/Reboot – T1529   
  •  Encrypted Channel – T1573   
  •  Malware – T1587.001   
  •  Tool – T1588.002   

Malpedia 

  •  Chisel (ELF)   
  •  Chisel (Windows)   
  •  Lorenz   

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: Accessing WinAPI in PowerShell for Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc description: Detects Accessing to lsass.exe by Powershell status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 modified: 2022/07/14 references: – https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags:
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textAccessing WinAPI in PowerShell for Credentials Dumping     Inherit   (0/0/0)     
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/builtin/win_atsvc_task.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe author: Samir Bousseaden date: 2019/04/03 references: – https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html tags: – attack.lateral_movement – attack.persistence
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textRemote Task Creation via ATSVC Named Pipe     Inherit   (0/0/0)     
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_service.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: PowerShell as a Service in Registry id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d description: Detects that a powershell code is written to the registry as a service. status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 modified: 2021/05/21 references: – https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags:
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textPowerShell as a Service in Registry     Inherit   (0/0/0)     
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/SigmaHQ/sigma/blob/1e16ed00905a496cbc3b0a1a03d4c2f6f4b63de2/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: CrackMapExec Process Patterns id: f26307d8-14cd-47e3-a26b-4b4769f24af6 description: Detects suspicious process patterns found in logs when CrackMapExec is used status: experimental author: Florian Roth references: – https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass date: 2022/03/12 modified: 2022/05/27 tags:
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textCrackMapExec Process Patterns     Inherit   (0/0/0)     
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/SigmaHQ/sigma/blob/b24e7ae9846f53cbbf61adad72f17af317c860a4/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: Encoded PowerShell Command Line Usage of ConvertTo-SecureString id: 74403157-20f5-415d-89a7-c505779585cf status: test description: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton references: – https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 date: 2020/10/11 modified: 2022/07/14 logsource:
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textEncoded PowerShell Command Line Usage of ConvertTo-SecureString     Inherit   (0/0/0)     
2022-09-15Object name: sigma 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml    Inherit   (0/0/0)     
2022-09-15Payload installationsigma:sigmatitle: Process Dump via Comsvcs DLL id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c status: test description: Detects process memory dump via comsvcs.dll and rundll32 author: Modexp (idea) references: – https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ – https://twitter.com/SBousseaden/status/1167417096374050817 date: 2019/09/02 modified: 2021/11/27
Show all 
    Inherit   (0/0/0)         
2022-09-15Othersigma-rule-name:textProcess Dump via Comsvcs DLL     Inherit   (0/0/0)     
2022-09-15Object name: yara 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar    Inherit   (0/0/0)     
2022-09-15Payload installationyara:yararule hktl_chisel_artifacts: Chisel Hacktool Artifacts { meta: Description = “looks for hacktool chisel artifacts potentially left in memory or unallocated space” Category = “Tool” Author = “Arctic Wolf Labs” Date = “2022-09-12” Reference = “https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in” strings: $chisel = “chisel_1.” ascii $s1 = “client” ascii
Show all 
    Inherit   (0/0/0)     
2022-09-15Otheryara-rule-name:texthktl_chisel_artifacts: Chisel Hacktool Artifacts     Inherit   (0/0/0)     
2022-09-15Object name: yara 



References: 
Inherit 
2022-09-15External analysisreference:linkhttps://github.com/rtkwlf/wolf-tools/blob/main/threat-intelligence/lorenz-ransomware-chiseling-in/lorenz-yara.yar    Inherit   (0/0/0)     
2022-09-15Payload installationyara:yararule webshell_php_3b64command: Webshells PHP B64 { meta: Description= “Detects Possible PHP Webshell expecting triple base64 command” Category = “Malware” Author = “Arctic Wolf Labs” Date = “2022-09-12” Hash = “07838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94” Reference = “https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in” strings: $decode = “base64_decode(base64_decode(base64_decode(” ascii $encode = “base64_encode(base64_en
Show all 
    Inherit   (0/0/0)     
2022-09-15Otheryara-rule-name:textwebshell_php_3b64command: Webshells PHP B64     Inherit   (0/0/0)     
2022-09-15Object name: suricata 



References: 
Inherit 
2022-09-15Network activitysuricata:snort#alert tcp any any -> any !$SSH_PORTS (msg:”ET POLICY SSH Client Banner Detected on Unusual Port”; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:”SSH-“; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)    Inherit   (0/0/0)     
2022-09-15External analysisref:linkhttps://threatintel.proofpoint.com/sid/2001980    Inherit   (0/0/0)     
2022-09-15Object name: suricata 



References: 
Inherit 
2022-09-15Network activitysuricata:snortalert http $EXTERNAL_NET any -> $HOME_NET any (msg:”ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)”; flow:established,to_server; content:”GET”; http_method; content:”/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/”; http_uri; http_header_names; content:!”Referer”; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; me
Show all
    Inherit   (0/0/0)     
2022-09-15External analysisref:linkhttps://threatintel.proofpoint.com/sid/2037121#references1    Inherit   (0/0/0)     
2022-09-15Object name: suricata 



References: 
Inherit 
2022-09-15Network activitysuricata:snortalert tls any any -> $HOME_NET any (msg:”[Arctic Wolf Labs] Possible Ncat shell via SSL/TLS”; flow:established,to_client; content:”|41 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 4e 63 61 74|”;tls_cert_issuer; content:”CN=localhost”;depth:12;sid:10000;rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)    Inherit   (0/0/0)     
2022-09-15Network activitysuricata:snortalert http any any -> any any (msg:”[Arctic Wolf Labs] Base64 POST via Curl User-Agent to PHP File”; flow:established,to_server; content:”POST”; http_method; content:”.php”; http_uri;content:”/vhelp/pdf/”; http_uri; content:”curl”; http_user_agent;pcre:”/(?:[A-Za-z\d+\/]{4})*(?:[A-Za-z\d+\/]{3}=|[A-Za-z\d+\/]{2}==)?$/”; sid:10001; rev:1; reference:url,https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in;)    Inherit   (0/0/0)     
2022-09-15External analysisref:linkhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in    Inherit   (0/0/0)     
2022-09-15Object name: asn 



References: 
Inherit 
2022-09-15Network activityasn:AS399629     Inherit   (0/0/0)         
2022-09-15Otherdescription:textBL Networks     Inherit   (0/0/0)     
2022-09-15Othercountry:textUS     Inherit   (0/0/0)     
2022-09-15Network activitysubnet-announced:ip-src64.190.113.100     3386 Inherit   (0/0/0)         
2022-09-15Object name: asn 



References: 
Inherit 
2022-09-15Network activityasn:AS399629     Inherit   (0/0/0)         
2022-09-15Otherdescription:textBL Networks     Inherit   (0/0/0)     
2022-09-15Othercountry:textNL     Inherit   (0/0/0)     
2022-09-15Network activitysubnet-announced:ip-src206.188.197.125     3386 Inherit   (0/0/0)         
2022-09-15Object name: asn 



References: 
Inherit 
2022-09-15Network activityasn:AS14061     3383 4096 Inherit   (0/0/0)         
2022-09-15Otherdescription:textDIGITALOCEAN-ASN     Inherit   (0/0/0)     
2022-09-15Othercountry:textUS     Inherit   (0/0/0)     
2022-09-15Network activitysubnet-announced:ip-src138.197.218.11     3386 Inherit   (0/0/0)         
2022-09-15Network activitysubnet-announced:ip-src138.68.19.94     3386 Inherit   (0/0/0)         
2022-09-15Network activitysubnet-announced:ip-src159.65.248.159     1583 3386 Inherit   (0/0/0)         
2022-09-15Network activityip-dst206.188.197.125   Country  netherlands     Data exfiltration via FileZilla; HTTP POST requests to notify threat actors of encryption progress3386 Inherit   (0/0/0)         
2022-09-15Network activityip-dst159.65.248.159   Country  united states     Data exfiltration via FileZilla1583 3386 Inherit   (0/0/0)         
2022-09-15Network activityip-dst64.190.113.100   Country  united states     Data exfiltration via FileZilla3386 Inherit   (0/0/0)         
2022-09-15Network activityip-dst138.68.19.94   Country  united states     Data exfiltration via FileZilla3386 Inherit   (0/0/0)         
2022-09-15Network activityip-dst138.197.218.11   Country  united states     Data exfiltration via FileZilla3386 Inherit   (0/0/0)         
2022-09-15Object name: file 



References: 
Inherit 
2022-09-15Payload deliverysha256:sha25607838ac8fd5a59bb741aae0cf3abf48296677be7ac0864c4f124c2e168c0af94     Webshell3386 Inherit   (0/0/0)         
2022-09-15Payload deliveryfilename:filenamepdf_import_export.php    Inherit   (0/0/0)         
2022-09-15Object name: ip-port 



References: 
Inherit 
2022-09-15Network activityip:ip-dst137.184.181.252     Used to exploit the Mitel device (CVE-2022-29499)3386 Inherit   (0/0/0)         
2022-09-15Network activitydst-port:port8443    Inherit   (0/0/0)