Threat actors adopt the highly invasive techniques of HTML smuggling to launch Nokoyawa ransomware despite being delivered through macro and ICedID malware.
The Nokoyawa Ransomware variant has been active since February 2022 and shares the similarity of known ransomware groups Nemty and Karma.
The DFIR report states that two threat actors were involved in the campaign: the distributor and the hands-on keyboard actor.
Microsoft tracks them as Storm-030 and Storm-0390, a “pen test” team managed by Periwinkle Tempest.
The threat actor delivers the payload via emails by attaching the malicious HTML file to the target.
Once the user opens the HTML file, the ZIP file will be downloaded on the user’s machine and ask for the password to open the file.
The malware payload was embedded inside the ISO file, and it is attached with a ZIP file. The only visible file to the user was an LNK file masquerading as a document.
When the user clicked the LNK file, a series of commands were then executed to copy rundll32 and a malicious DLL from ISO to the host before executing the malware.
Persistence was also established via a scheduled task on the beachhead host when the malicious DLL was executed.
This task was set to run the IcedID malware every hour on the host. Initial discovery commands were run seconds after reaching out to the command and control server.
Using one of those accounts, the threat actor initiated an RDP session to move laterally to a domain controller.
Later, they use SessionGopher to log into additional hosts over RDP, including a backup server and a server with file shares.
Finally, they execute k.exe and p.bat.,ransomware binary and a batch script files to launch the ransomware.