STAC6451: A Threat Group Targeting Indian Organizations with Mimic Ransomware
Sophos MDR threat hunters and intelligence analysts have recently unveiled a new threat activity cluster, dubbed STAC6451, that is actively targeting organizations in India with Mimic ransomware. This group exploits exposed Microsoft SQL Server databases to gain unauthorized access and deploy malicious payloads.
First seen in 2022, Mimic ransomware is distributed via executables that drop multiple binaries. The ransomware deletes shadow copies, encrypts files with specific extensions, and logs encryption activity. While Mimic ransomware binaries were staged in all observed incidents, their execution was often unsuccessful, and attackers sometimes deleted the binaries after deployment.
STAC6451 targets Microsoft SQL Server (MSSQL) databases exposed to the internet via the default TCP/IP port (1433). Attackers gain unauthorized access by brute-forcing simple account credentials. Once inside, they enable the xp_cmdshell stored procedure to facilitate remote code execution, running processes under the user session of “MSSQLSERVER.”
After gaining access, attackers use the Bulk Copy Program (BCP) utility to stage malicious payloads, including privilege escalation tools, Cobalt Strike Beacons, and Mimic ransomware binaries. They also employ the Python Impacket library to create backdoor accounts for lateral movement and persistence. These accounts, named “ieadm,” “helpdesk,” “admins124,” and “rufus,” allow attackers to maintain their presence in compromised environments.
The attackers conduct detailed reconnaissance using automated discovery commands executed via xp_cmdshell. These commands collect system information, such as version, hostname, available memory, domain, and username context. The actors then stage additional payloads using the BCP utility, creating local files from the malware stored in the MSSQL database.
To move laterally, the threat actors create new user accounts and add them to the local administrator and remote desktop groups. Scripts used to create these accounts are run simultaneously across multiple networks, indicating automation. Notably, these scripts reference multiple languages, suggesting the use of generic tools.
Attackers deploy privilege escalation tools like PrintSpoofer (P0Z.exe), which exploit weaknesses in the Windows spooler service. They also use Cobalt Strike implants to execute commands and create new local administrator accounts. For execution, the actors write ransomware launchers and initialization scripts to disk, leveraging AnyDesk to launch these scripts.
The attackers establish C2 communications using a unique Cobalt Strike loader (USERENV.dll) and obfuscation techniques. They use compromised web servers to host Cobalt Strike payloads and create services to auto-start the Beacons, maintaining persistence.
Sophos detected attempts to access LSASS memory credentials using Microsoft’s DumpMinitool. In some cases, attackers used WinRAR to archive data for exfiltration.
Sophos has observed STAC6451 specifically focusing on Indian organizations across multiple sectors. While the group’s primary objective appears to be deploying Mimic ransomware, they have also been seen engaging in data collection and exfiltration activities.
