Incident Score: Analysis & Impact (THE1773656627)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating clickFix social engineering campaign, tricking victims into executing PowerShell. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: PowerShell (T1059.001) with high confidence (95%), supported by evidence indicating malicious PowerShell command executed via ClickFix, Slopoly is PowerShell-based and User Execution: Malicious File (T1204.002) with moderate to high confidence (80%), supported by evidence indicating victims tricked into executing a malicious PowerShell command. Under the Persistence tactic, the analysis identified Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating script persisted via a scheduled task, maintained access for over a week. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating script disguised as a legitimate Windows component and Obfuscated Files or Information (T1027) with moderate to high confidence (70%), supported by evidence indicating slopoly exhibited traits of LLM-generated code with verbose logging. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating slopoly sent JSON heartbeat beacons to its C2 server via cmd.exe and Protocol Tunneling (T1572) with moderate to high confidence (80%), supported by evidence indicating interlockRAT used WebSocket and SOCKS5 tunneling capabilities. Under the Discovery tactic, the analysis identified Network Service Discovery (T1046) with moderate to high confidence (80%), supported by evidence indicating advanced IP Scanner used for network reconnaissance. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate confidence (60%), supported by evidence indicating interlockRAT and NodeSnake used for persistence and lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating data exfiltration via AzCopy before encryption. Under the Exfiltration tactic, the analysis identified Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (70%), supported by evidence indicating azCopy used for data exfiltration and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating data exfiltrated before triggering encryption. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), supported by evidence indicating interlock ransomware encrypted files using AES-GCM with RSA-protected keys. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.