Author: Tyler L. Jones, Principal Cybersecurity Analyst | Security Operations
The post presents an in-depth forensic analysis of a highly sophisticated, zero-reputation malware campaign attributed to the Termite ransomware threat group. The adversary used bespoke malware and a command-and-control infrastructure, specifically a Tuoni reverse proxy at 161.35.97.106, to facilitate a multi-stage execution pipeline. By leveraging bespoke malicious payloads hosted at zero-reputation domains, the threat actor successfully bypassed standard Endpoint Detection and Response (EDR) telemetry.
To unravel the execution flow, our analysts detonated the initial access vector within a strictly controlled sandbox environment, capturing the volatile memory artifacts for dynamic analysis. This case study details the adversary’s methodical progression through the initial access, privilege escalation, and credential access phases. Notably, the analysis highlights the threat actor’s utilization of the System.DirectoryServices.DirectorySearcher class to extract a global email roster via encoded PowerShell, alongside the targeted hunting of unsecured, cleartext password files.
We’ll examine the exact defensive pivot point: the successful containment and eradication of the resident threat actor immediately following local credential harvest. By detailing these rapid isolation protocols, this research provides a definitive blueprint for neutralizing an entrenched adversary prior to network-wide lateral migration.
Introduction & Dynamic Analysis Methodology
Following the receipt of actionable intelligence indicating pre-ransomware staging, the Clearwater Security Operations Center initiated immediate incident response. To fully understand the scope of the EDR bypass, our analysts isolated the targeted payload and performed a dynamic detonation within a virtualized, monitored sandbox environment. By replicating the attacker’s execution chain on a localized VM, analysts were able to capture and reverse-engineer the heavily obfuscated, memory-resident PowerShell scripts that constituted the adversary’s toolkit.
Phase I: Evasion & Steganographic Memory Injection
Dynamic analysis of the volatile memory capture revealed a 108 KB Stage 1 PowerShell script orchestrating a sophisticated four-stage execution pipeline.
The payload defeated static analysis by employing an on-the-fly decryption function (`sJutQbsurJFCKmikvowsfzzlnJFiJtQ`), ensuring critical URLs and Windows APIs remained encrypted until execution:
function sJutQbsurJFCKmikvowsfzzlnJFiJtQ ($b64, $key) {
# The Decryption Engine
$bytes = [Convert]::FromBase64String($b64)
for ($i=0; $i -lt $bytes.Count; $i++) { $bytes[$i] = $bytes[$i] -bXOR $key }
return [System.Text.Encoding]::UTF8.GetString($bytes)
}
After successfully evading automated sandboxes using mathematical delay loops, the script contacted a zero-reputation domain to retrieve a seemingly benign image file. The script then extracted steganographic shellcode hidden within the pixel RGB data.
Finally, the malware utilized direct memory injection. By dynamically compiling C# code, it called native Windows subsystem APIs (NtAllocateVirtualMemory and NtProtectVirtualMemory) to allocate memory within the running PowerShell process, executing the steganographic payload entirely within RAM.
# Direct Memory Injection (De-obfuscated Flow)
$dynCode = @”
using System;
using System.Runtime.InteropServices;
public class MemInj {
[DllImport(“ntdll.dll”)]
public static extern uint NtAllocateVirtualMemory(…);
[DllImport(“ntdll.dll”)]
public static extern uint NtProtectVirtualMemory(…);
}
“@
Add-Type -TypeDefinition $dynCode
Phase II: Encoded Reconnaissance & Credential Access
Having established a memory-only C2 channel, the threat actor returned on May 25th to map the target environment. To bypass terminal logging and AMSI, they wrapped all executions in Base64 UTF-16LE encoding (powershell.exe -EncodedCommand).
At 18:13:39 EDT, the attacker executed a targeted LDAP query against Active Directory to scrape a comprehensive list of human user accounts. Reversing the base64 payload from the VM capture yielded the following pure data-gathering function:
$searcher = New-Object System.DirectoryServices.DirectorySearcher ‘(&(objectCategory=person)(objectClass=user))’;
$searcher.PageSize = 1000;
$searcher.PropertiesToLoad.Add(“samAccountName”);
$searcher.PropertiesToLoad.Add(“mail”);
$searcher.FindAll() | ForEach-Object { “$($_.Properties[“samAccountName”]), $($_.Properties[“mail”]) ” } | ForEach-Object { $_ -join ‘`n’ }
Simultaneous to the domain mapping, the adversary executed recursive file searches. At 17:59:22 EDT, they successfully located and read a cleartext password file (C:\Users\[redacted] \…\[Redacted]\Password File.txt). By reading this file, the adversary formally achieved the Credential Access (T1552) phase of the kill chain.
Interception: Rapid Containment
It is at this critical juncture—post-Credential Access but pre-Lateral Movement—that the defensive pivot occurred. Synthesizing external intelligence regarding the Tuoni C2 proxy with anomalous behavioral indicators, Clearwater MSS executed a rapid containment strategy.
The compromised endpoint was subjected to immediate hard isolation from the logical network, severing the attacker’s resident memory session. Given the exposure to local cleartext credentials and the AD/SAM reconnaissance, a domain-wide reset of all Active Directory passwords was executed. Subsequent environment-wide threat hunting confirmed zero lateral movement. The threat actor was expelled before they could deploy their exfiltration tool (ExMatter) or execute the Termite ransomware payload.
Conclusion: Resiliency Beyond the Perimeter
The paradigm of endpoint defense has fundamentally shifted. As demonstrated by the Termite syndicate’s deployment of steganographic, memory-resident payloads, sophisticated adversaries are no longer attempting to defeat EDR—they are bypassing it entirely. In this environment, relying solely on autonomous software agents is a critical vulnerability.
The successful neutralization of this intrusion underscores the indispensable value of human-led threat hunting, behavioral telemetry synthesis, and rapid isolation capabilities. Clearwater Managed Security Services stopped this attack not merely because an alert fired, but because our analysts dynamically identified the subtle, anomalous precursors to lateral movement. Ultimately, true operational resilience requires a security posture that anticipates perimeter failures and is explicitly engineered for decisive containment at the point of compromise.
Appendix A
MITRE ATT&CK Enterprise Mapping
The behaviors observed during this intrusion map to the following MITRE ATT&CK enterprise techniques:
Tactic | ID | Technique Name |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Defense Evasion | T1027.003 | Obfuscated Files or Information: Steganography |
Defense Evasion | T1055.001 | Process Injection: Dynamic-link Library Injection |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools (Sandbox Evasion) |
Discovery | T1087.002 | Account Discovery: Domain Account |
Discovery | T1018 | Remote System Discovery |
Discovery | T1518.001 | Software Discovery: Security Software Discovery |
Credential Access | T1552.001 | Unsecured Credentials: Credentials In Files |
Appendix B
Indicators of Compromise (IoCs)
Type | Indicator | Context |
IP Address | 161.35.97.106 | Termite ransomware / Tuoni C2 reverse proxy |
IP Address | 71.11.14.146 | Victim egress point |
URL | http(://)toplogistics(.)org/files/get-trucks-quick | Stage 1 steganographic payload delivery URL |
URL | http(://)bestretail(.)org/files/TokenAdd | Stage 2 privilege escalation payload |
File Path | C:\Users\[Redacted]\…\[Redacted]\Password File.txt | Targeted cleartext credential file |
