Cybercriminals use PowerShell to steal NTLMv2 hashes from compromised Windows
New cyberattack campaign leverages PowerShell script combined with legitimate Red Teaming tool to loot NTLMv2 hashes from compromised Windows systems located primarily in Australia, Poland and Belgium.
The activity was named Steal-It by Zscaler ThreatLabz.
“In this campaign, bad actors steal and exfiltrate NTLMv2 hashes using custom versions of Nishang software. PowerShell Script Start-CaptureServerby executing various system commands and exfiltrating data retrieved through Mockbin APIs,” said security researchers Niraj Shivtarkar and Avinash Kumar.
Nishang is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming.
The attacks leverage up to five different infection chains, although they all use phishing emails containing ZIP archives as a starting point to infiltrate specific targets using geofencing techniques:
- NTLMv2 Hash Stealing Infection Chainwhich uses a custom version of the aforementioned Start-CaptureServer PowerShell script to harvest NTLMv2 hashes
- System information theft infection chainthat OnlyFans is targeting Australian users to download a CMD file that steals system information
- Fansly Whoami infection chainwhich uses explicit images of Ukrainian and Russian Fansly models to trick Polish users into downloading a CMD file that exfiltrates the results of the whoami command
- Windows update infection chainwhich targets Belgian users with fake Windows update scripts designed to execute commands such as tasklist and systeminfo
It should be noted that the latest attack sequence was highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in May 2023 as part of an APT28 campaign against institutions governments of the country.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
This raises the possibility that the Steal-It campaign could also be the work of a Russian state-sponsored threat actor.
“The threat actors’ custom PowerShell scripts and strategic use of LNK files in ZIP archives highlight their technical expertise,” the researchers said. “The persistence maintained by moving files from the Downloads folder to the Startup folder and renaming them underscores the threat actors’ commitment to prolonged access.”
