Hunters International Ransomware: What We Learned from an Oracle WS Attack
Summary
- July 2024: Our threat hunters notice an uptick in attacks
- Sept. 2024: Hunters International post info about attacks on data leak sites
- We find attack evidence with an entry point in an Oracle web server, and:
- Lateral movement
- Sensitive data exfiltration
- File encryption
- Data recovery disablement
Guidance
- Examine our knowledge sharing in the full threat briefing for:
- Tactics, Techniques, and Procedures (TTP)
- Detection opportunities
- Indicators of Compromise (IoC)
- Follow best practices in threat detection and response
- Use specialized threat detection rules — including EDR telemetry logs to help identify and automate incident response
Hunters International is a ransomware-as-a-service (RaaS) operation that first emerged in October 2023, claiming over 200 victims since its inception. In November 2024 alone, the group claimed 24 victim organizations, an average of nearly one per day:
- 10 in the U.S.
- 2 in the UK
- 12 globally:
- 7 in the EU
- 3 in South America
- 2 in Asia
From leaking US Marshals and FBI data to extorting Chinese bank, ICBC, in London, Hunters International is a highly active and lucrative ransomware service.
Known for its adaptable design, Hunters International ransomware is written in Rust which enables it to bypass detection, accelerate encryption and ensure cross-platform compatibility. The malware shares code similarities with Hive ransomware but improves upon Hive’s design by streamlining command-line options and optimizing key management. Notably, it embeds encryption keys within the encrypted files, a technique that complicates decryption while simplifying the recovery process for victims who pay the ransom.
In a new threat briefing, we analyze an incident where attackers exploited a public-facing Oracle Web Server to gain initial access to a victim’s network. Following this, they conducted reconnaissance and lateral movement using commodity tools, exfiltrated sensitive data, disabled data recovery options, and finally encrypted files using the Hunters International encrypter. The full threat briefing also provides malware analysis and recommendations for detecting, mitigating, and hunting for this type of activity.
Below, we summarize the incident and how Forescout can help to mitigate this type of threat.
Incident Description: Hunters International Ransomware
In July 2024, we observed an increase in security alerts on a network we monitored, signaling potential malicious activity. We only had partial endpoint visibility on that account as part of a proof-of-concept engagement, so these alerts were inconclusive at the time. The alerts were subsequently connected to a broader attack campaign.
By September 2024, the attackers posted information about their activities on data leak sites, confirming our suspicions. During the investigation, we uncovered evidence of exploitation attempts targeting multiple vulnerabilities, credential dumping, and the use of SMB and RDP for lateral movement across the network.
After a thorough investigation, we reconstructed the sequence of events leading to the incident with some limitations due to partial visibility. The process is summarized in the figure below:
Initial Access
The investigation identified two potential methods by which the attacker might have gained access to the environment.
- Renamed AutoIt Malware
The attackers deployed renamed AutoIt malware, followed by network scanning activity. They also attempted to compromise domain controllers using Zerologon and SECRETSDUMP DCSYNC demonstrating their intent to escalate privileges and gain control over the domain. - Oracle WebLogic Server
The attackers connected to the debug port 8453 of an Oracle WebLogic server which allowed them to execute commands as java.exe and install the China Chopper web shell. The exact method of compromise for the Oracle machine remains unknown, whether through a vulnerability or another vector.
Reconnaissance and Lateral Movement
After gaining access, the attackers conducted reconnaissance and lateral movement to map the network and escalate privileges. They created a folder to store tools and information about the environment, such as network locations, domain trust relationships and user details.
The attackers obtained an account with administrative rights and gathered local system credentials using SAM and SYSTEM hive dumps to move laterally.
To gain full control over the domain, the attackers exploited domain services possibly using DFSCoerce to manipulate the domain controller. This allowed them to access the Active Directory database, which they dumped.
The attackers used a variety of common administrative and red teaming tools for lateral movement, including:
- Plink
- Impacket
- AnyDesk
- TeamViewer
- RDP leveraging the exposed Administrator account, and domain admin accounts.
They also added accounts to the Administrator or RDP groups to maintain access. In addition to targeting Windows systems, the attackers also investigated Linux machines by running commands to gather information about user privileges and system settings.
Impact: Data Collection, Exfiltration and Encryption
The attackers escalated their campaign by targeting a database server, from which they dumped contents that were later exfiltrated to the MEGA file-sharing service, indicating a deliberate and efficient data exfiltration strategy.
Subsequently, the attackers unzipped and executed the final ransomware payload, encrypter_windows_x64.exe. Once deployed, the ransomware systematically disabled backup and recovery options by erasing shadow copies and disabling Data Execution Prevention (DEP). The ransomware enumerated files across the system, encrypted them and propagated its activity across the entire network. It left a ransom note behind on affected systems.
TTPs and Detection Opportunities
The full threat briefing details the following tactics, techniques and procedures used by the Hunters International attackers.
| Technique | Artifact | Detection Opportunity |
|---|---|---|
| Exploit Public-Facing Application | Debug ports (8453) on WebLogic servers | Monitor for connections to debug ports and subsequent java.exe spawning cmd.exe (or other unusual parent-child relationships) |
| Web Shell | China Chopper deployment in WebLogic | Track web shell command patterns. Correlate with network traffic or endpoint reconnaissance commands. |
| Command and Scripting Interpreter | Usage of cmd.exe | 1. Monitor parent child relationships. 2. Pair observations with command line arguments and length analysis. |
| User Execution | Users downloading and executing malicious files | Perform long tail analysis, identify new executables, track their prevalence and user’s context |
| External Remote Services | Unauthorized deployment of Remote Monitoring and Management (RMM) tools (e.g. AnyDesk, TeamViewer) | Monitor for RMM installation and associated network connections. Start with LOLRMM and establish a baseline of known RMM tools in the environment to detect anomalies. |
| Remote Desktop Protocol | RDP abuse for lateral movement | Build baseline of RDP connections and authentication patterns. Detect deviations, new connections, or changes in RDP configurations on the host. |
| Scheduled Task | Execution of batch file using schtasks | Monitor: 1. Windows events 4698 – 4702 in “Microsoft-Windows-Security-Auditing” channel. 2. “Microsoft-Windows-TaskScheduler/Operational” logs 3. File creations in C:\Windows\System32\Tasks folder (Sysmon Event 11) with svchost.exe as the creation process 4. Registry changes (CreateKey, DeleteKey, SetValue) (Sysmon Events 12,13,14) svchost.exe is the Image and TargetObject is the path 5. Image load events for taskschd.dll (Sysmon Event 7) 6. Command line arguments. |
| Security Account Manager | Credential dumping through SAM registry hive | Monitor access to processes and registries that support credential dumping. |
| Forced Authentication | Coercion attacks against domain controller | Track event ID 5145 in Microsoft-Windows-Security-Auditing for IPC$ in ShareName and RelativeTargetName containing netdfs, lsarpc, efsrpc , srvsvc, samr or netlogon. |
| Valid Accounts | Use of administrator and privileged accounts for lateral movement | Establish a baseline of normal user actions, locations and execution formats. Detect deviations from expected behavior. |
| System Information Discovery | Enumeration using built-in tools (LOLBINs) | Create a baseline for expected enumeration behaviors, including who performs them, from where, and in what format. Detect deviations from these patterns. |
| SMB/Windows Admin Shares | File transfer using SMB | Track suspicious file patterns (e.g. delete.me) against a baseline. Analyze network traffic for deviations in SMB connections. Perform long-tail analysis of transferred files to detect uncommon executables. Track connections to Admin shares. |
| Disable or Modify Tools | Security control tampering | Monitor for DEP changes or security tool tampering using bcdedit.exe. |
| Indicator Removal on Host | Deletion of volume shadow copies | Track shadow copy deletions via VSSadmin.exe |
| Data Encrypted for Impact | Ransomware encryption and ransom notes | Detect ransomware activity with file encryption via encrypter_windows_x64.exe and the creation of ransom notes (read me now!.txt) across multiple accounts |
| Exfiltration Over C2 Channel | Data staging and movement | Monitor large data transfers using network byte analysis (inbound and outbound) |
| Data from Local System | Database targeting and dumps | Track changes to xp_cmdshell settings and detect mysqldump operations |
| Application Layer Protocol | Potential C2 communication via ncat on port 1752 | Monitor connections to port 1752 and associated IP addresses. |
How Forescout Can Help
Forescout Threat Detection & Response (TDR) is equipped with specialized detection rules designed to identify and mitigate ransomware attacks, such as those orchestrated by the Hunters International group. By aggregating telemetry and logs from diverse sources including security tools, applications, and other enrichment sources, Forescout TDR correlates attack signals to generate high-fidelity threats for analyst investigation and facilitates automated response actions across the enterprise.
The following rules are instrumental in detecting activities associated with Hunters International attacks:
- CY-IR-0010 – EDR Telemetry: Execution Of ‘net.exe’ Detected
- CY-IR-0013 – EDR Telemetry: Suspicious Execution Of ‘regsvr32.exe’
- CY-IR-0040 – EDR Telemetry: PowerShell Started New Process
- CY-IR-0078 – EDR Telemetry: Lateral Movement Detection
- CY-IR-0097 – EDR Telemetry: Ransomware Detection
- CY-IR-0197 – EDR Telemetry: WMI Execution With Command Line Redirection
- CY-IR-0198 – EDR Telemetry: Automated Collection Detected
- CY-IR-0262 – EDR Telemetry: Mimikatz Execution Detected
- CY-IR-0271 – EDR Telemetry: Software Or System Service Discovery Detected
- CY-IR-0278 – EDR Telemetry: Software Installation On A Corporate Device Detected
- CY-IR-0318 – EDR Telemetry: Whoami Command Execution Detected
- CY-IR-0349 – EDR Telemetry: PowerShell Started Admin Privilege Process
- CY-IR-0153 – EDR Telemetry: Suspicious Shadow Copies Deletion Detection
- CY-IR-0411 – Web-Injection Attack Detected
The screenshots below show some of the logs ingested by TDR for this incident during the execution of the ransomware, detection of encryption activity and disabling of recovery options.
The image below shows a description of TDR rule CY-IR-0097 – EDR Telemetry: Ransomware Detection
