A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumblebee malware. The threat actors then deployed AdaptixC2 beacons, performed internal reconnaissance, created privileged accounts, and installed RustDesk for persistence. They exfiltrated data via SFTP and ultimately deployed Akira ransomware across the network. The campaign affected multiple organizations, with time to ransomware ranging from 9 to 44 hours after initial access. The attackers used various tools and techniques for lateral movement, credential theft, and defense evasion. Author: AlienVault
Related Tags:
it management tools
rustdesk
T1021.004
Bumblebee
lateral movement
data exfiltration
T1021.002
Akira
T1136
Associated Indicators:
186B26DF63DF3B7334043B47659CBA4185C948629D857D47452CC1936F0AA5DA
DE730D969854C3697FD0E0803826B4222F3A14EFE47E4C60ED749FFF6EDCE19D
A14506C6FB92A5AF88A6A44D273EDAFE10D69EE3D85C8B2A7AC458A22EDF68D2
A6DF0B49A5EF9FFD6513BFE061FB60F6D2941A440038E2DE8A7AEB1914945331
6BA5D96E52734CBB9246BCC3DECF127F780D48FA11587A1A44880C1F04404D23
F352CEC89A56E23DAE20CDD62DF4D40BC7F22B5E
1B9AA401457D29405C0BCF19CBF19A7028A0D214
FEBBAF5F08A8E0782FFCCE8BEEF1F2B4E249A52B
BCEE0AB10B23F5999BCDB56C0B4A631A