VTA-004540 – Qilin Operators Combine Credential Theft and Dual Encryptors for Maximum Damage

The ransomware group Qilin (RaaS) has evolved into one of the most active and impactful threat actors globally, publishing more than 40 victim leak site entries per month and targeting the manufacturing sector hardest of all. What sets Qilin apart is its systematic blend of widely used legitimate tools (such as Cyberduck for exfiltration) and highly destructive follow through, attackers use one encryptor to spread via PsExec across hosts and a second encryptor to exhaustively encrypt multi share network drives, while simultaneously dismantling recovery options like VSS snapshots. 

As for the detailed attack flow, initial access often via compromised VPN credentials (sometimes due to leaked sign on info), immediate reconnaissance using built in Windows utilities (nltest.exe, net.exe) and custom scripts, credential harvesting through modified WDigest registry settings plus tools like Mimikatz and SharpDecryptPwd, lateral movement via SMB shares and RDP configuration changes, followed by data staging using Cyberduck to cloud hosts and final encryption with full network wide impact. 

Defense evasion was also key as attackers disabled AMSI, altered TLS certificate validation, loaded malicious drivers (dark.sys) to kill EDR and used legitimate executables like notepad.exe and mspaint.exe to browse sensitive information before encryption. The double encryptor approach (encryptor_1 via PsExec and encryptor_2 on a host targeting many shares) significantly increases operational speed and damage. 

Severity:
Medium

Attack Surface:
Infrastructure, Server OS, Storage

Tactics:
Credential Access, Discovery, Exfiltration, Impact, Initial Access, Lateral Movement, Persistence

Techniques:
T1078 – Valid Accounts
T1133 – External Remote Services
T1110 / T1110.003 – Brute Force / Password Spraying
T1003 – Credential Dumping
T1482 – Domain Trust Discovery
T1018 – Remote System Discovery
T1082 – System Information Discovery
T1048 – Exfiltration Over C2 Channel
T1537 – Transfer Data to Cloud Account
T1105 – Ingress Tool Transfer
T1562.001  – Disable or Modify Tools
T1490 – Inhibit System Recovery
T1489 – Service Stop
TA0011 – Command and Control
T1486 – Data Encrypted for Impact
T1112  – Modify Registry
T1053 – Scheduled Task/Job

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/690423d6d2ee7be4788d1ea4

References:
1. https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/

SuperPRO’s Threat Countermeasures Procedures:
1.Enforce MFA on all VPN/remote access gateways and admin portals. Rotate any exposed VPN/remote admin credentials and revoke stale service accounts. Audit vendor privileged accounts.
2.Ensure Windows Server hosts are on a supported, patched baseline like Windows Server 2012 R2, 2016, 2019, 2022 with latest Monthly Rollups. Apply latest Microsoft Security Updates and Defender ATP definitions.
3. Block PsExec-like lateral tools at firewall/EDR policy, prevent psexec.exe and Windows SMB remote service execution from nonadmin endpoints. Detect and block cyberduck.exe usage from non admin systems or from servers. Add firewall rule to restrict outbound to cloud storage endpoints only from approved gateways.
4. Isolate domain controllers, critical file shares and backup appliances into separate VLANs with limited management channels. Restrict write access to backup repositories and require multifactor verification for backup restores.
5. If affected, isolate affected subnets and AD accounts. Do not power down capture memory/image for forensics. Restore from backups only after validating backup integrity. Rotate all privileged credentials and signing keys, reissue certificates.

Contributed by: Thivya