Skip to content

ColdDraw ransomware lands on Microsoft Exchange servers

  • by
  • 3 min read

Using a set of vulnerabilities in Microsoft Exchange servers, the ColdDraw Ransomware operations have found a way to gain initial access to corporate networks and deploy the ColdDraw ransomware. 

The ransomware operation launched in 2019 and had picked up speed by 2021. The FBI issued a warning in December 2021, stating that the group had breached 49 critical infrastructure organisations in the US. 

According to the latest report by cybersecurity firm Mandiant, which tracks the gang as UNC2596, the majority of the targets are either in the US or Canada. Other affected countries include Australia, Austria, Belgium, Columbia, Germany, India, Jordan, Poland and the United Kingdom.

In the News: Ukraine calls for volunteer hackers to defend against Russian cyberattacks

Modded ransomware for an ever-evolving operation

The Mandiant report suggests that the attackers might have had access to target networks since August 2021 and were seen leveraging Microsoft Exchange vulnerabilities such as ProxyShell and ProxyLogon to deploy web shells, RATs as well as backdoors. 

Locations where ColdDraw targets currently exist. | Source: Mandiant

The planted backdoors include Cobalt Strike and the NetSupport Manager RAT. The group also has tools called Bughatch, Wedgecut and eck.exe and a suite of Burntcigar tools. Here’s a breakdown of all the tools used.

  • Wedgecut: is a recon tool that comes in the form of an executable file. The file, called check.exe deals with the active directory through Windows Powershell.
  • Bughatch: fetches Powershell scripts and filest from a remote C&C server. The program loads in the memory from a remote URL to avoid detector.
  • Burntcigar: is a tool to terminate processes at the kernel level by exploiting a flaw in an Avast driver.
  • Termite: is a memory-only dropper that downloads and loads the aforementioned payloads.

The attack chain involves gaining access to stolen account credentials using the Mimikatz and Wicker tools. This is followed by recon using Wedgecut, followed by lateral movement using RDP, SMB, Cobalt Strike and PsExec. Finally, the chain is wrapped up by deploying Bughatch using Termite, followed by BurntCigar, which disables security tools and makes it easy to extract and encrypt data. 

The ColdDraw shaming site for companies that didn’t comply. | Source: Mandiant

The gang doesn’t use any cloud services for data extraction either. Everything is loaded and sent using their private cloud infrastructure. However, the vulnerabilities used in this attack method have already been patched as security updates have been available for quite some time now.

In the News: Oppo unveils its Find X5 lineup starting at €1,000 

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version