Researchers Expose Operations Of Three Sodinokibi Affiliate Groups

• All of the three affiliates (Group 1, affiliate #34, and affiliate #19) use mass port scanning tools to find accessible RDP servers.
• They then use the NLBrute RDP brute-forcing tool with custom password lists to gain access to servers and spread laterally throughout the network.

What’s the matter?

Researchers from McAfee have tracked the TTPs and operations of three Sodinokibi affiliate groups by using the global network of Remote Desktop Protocol (RDP) honeypots.

A brief overview

Researchers have tracked the tools, tactics, techniques, and procedures (TTPs) used by the Sodinokibi affiliates to infect victims’ systems with the ransomware.

• McAfee researchers noted that the Sodinokibi ransomware executables are tagged with an affiliate's IDs and sub IDs in order to track who infected the victim and which affiliate should earn a commission for payment.
• However, these affiliate IDs allow researchers to track their activities.

Tools and tactics used by the affiliates

Researchers noted that these affiliates, known as Group 1, affiliate #34, and affiliate #19, initially compromised a system via RDP and then tried to compromise the rest of the network.

• All of the three affiliates use mass port scanning tools to find accessible RDP servers.
• They then use the NLBrute RDP brute-forcing tool with custom password lists to gain access to servers and spread laterally throughout the network.
• Out of the three, affiliate #34 and #19, leverage more skillful tactics such as using custom Mimikatz batch files to steal network credentials, custom scripts to delete Windows event viewer logs, and the creation of hidden users.
• Affiliate #19 employs local exploits to gain administrative access on a compromised computer.
• On the other hand, Affiliate #34 was spotted dropping cryptomining payloads such as MinerGate and XMRig.

“Based on our analysis, this individual is likely part of some Persian-speaking credential cracking crew harvesting RDP credentials and other types of data. The individual is sharing information related to Masscan and Kport scan results for specific countries that can be used for brute force operations.” researchers said, BleepingComputer reported.

Use of Everything file indexer

Researchers observed an interesting tactic used by affiliate #34, which is the deployment of “Everything file indexing software”.

• When installed, this software will index all of the file and folder names found on the system in order to quickly search for files based on an entered keyword.
• Therefore, this software could be installed by the affiliate to search for sensitive files based on their names.

For example, if files contain the words such as “secret”, “password”, “bank accounts”, “classified”, “military”, etc, the affiliate could then exfiltrate these files in an unencrypted form in order to steal trade secrets, credentials, financial information, or threaten to release the documents unless a ransom is paid.

“Unfortunately we haven’t got information that the actor was searching for specific keywords we did see a complete index of the filesystem,” John Fokker, Head of Cyber Investigations at McAfee, told BleepingComputer via email.