Security researchers from Hunt.io have identified an unauthenticated open directory while examining indicators of compromise published in an earlier CyberXTron report on the TheGentlemen ransomware group. The directory, hosted at IP address 176.120.22.127 on port 80, resides on infrastructure belonging to Proton66 OOO (AS198953), a Russian provider previously linked to other malicious campaigns. The server had been active for at least 24 days prior to discovery. The directory contained 126 files spread across 18 sub-directories, amounting to approximately 140 megabytes. It contained legitimate utilities, well-known offensive security tools, batch scripts for defense evasion, credential dumping, remote access, and persistence, as well as cleartext ngrok authentication tokens.[1]
Mimikatz logs and harvested victim data, including NTLM hashes and usernames, confirmed that tools had already been deployed against live targets. All analyzed scripts were classified as malicious and fell into two categories: Exploit scripts, which alter security settings and escalate privileges, and Config scripts, which contain sensitive authentication tokens.
The Gentlemen operates as a Ransomware-as-a-Service (RaaS) model in which affiliates use shared tools and infrastructure to conduct attacks. The group has targeted organizations in the Americas, Europe, and the Middle East and maintains cross-platform capabilities covering Windows, Linux, and ESXi environments. Its attack sequences typically compress the period between initial access and full encryption to a matter of hours.
The file z1.bat, a 35-kilobyte batch script, represents the most operationally significant item. Designed for rapid execution immediately before ransomware deployment, it performs comprehensive preparation steps. These include stopping and disabling security vendor services from more than a dozen providers, including Sophos, Kaspersky, Trend Micro, McAfee, ESET, Webroot, AVG, Malwarebytes, Panda, and Quick Heal. It extends the same action to enterprise services, including over 30 Microsoft Exchange instances, Oracle databases, MySQL, multiple Tomcat versions, Veeam backups, and Hyper-V.
The script then deletes registry entries associated with security products from nearly 20 vendors, creates open SMB shares with full access on drives C through K. It installs Image File Execution Options debugger redirects on accessibility binaries (sethc.exe, utilman.exe, Magnify.exe and HelpPane.exe) to launch cmd.exe, enables Remote Desktop Protocol while disabling Network Level Authentication and User Account Control, deletes all Volume Shadow Copies, clears Windows event logs, empties the Recycle Bin and terminates processes with process identifiers of 1000 or higher.
Organizations should monitor endpoints for execution of tools such as PowerRun, mass changes to Windows Defender service states, batch-driven event log clearing with wevtutil, LSASS memory access patterns consistent with Mimikatz, modifications to Image File Execution Options on accessibility tools, WDigest registry alterations and bulk creation of network shares. Network monitoring should include blocking connections to 176.120.22.127 and watching for ngrok tunnel activity.
Recommended hardening steps include enabling security features such as Credential Guard, maintaining offline, immutable backups, activating endpoint tamper protection, auditing Group Policy Objects for unauthorized Defender modifications, and implementing application whitelisting in user-writable directories.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/russian-server-exposes-thegentlemen-ransomware-toolkit-9267.html
Comments