- Initial access was via a resume lure as part of a TA4557/FIN6 campaign.
- The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware.
- Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity.
- The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities.
- The threat actor installed Cloudflared to assist in tunneling RDP traffic.
- This case was first published as a Private Threat Brief for customers in April of 2024.
- Eight new rules were created from this report and added to our Private Detection Ruleset.
4368 links
