UNC2447

Description

(FireEye) Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT. Mandiant has linked the use of SOMBRAT to the deployment of ransomware, which has not been previously reported publicly.

UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics.

Names

Name	Name-Giver
UNC2447	FireEye

Country

• Unknown

Motivation

• Financial gain

First Seen

2020

Observed Countries

• Europe and North America

Tools

• 7-Zip
• AdFind
• BloodHound
• Cobalt Strike
• DeathRansom
• FIVEHANDS
• FOXGRABBER
• HELLOKITTY
• Mimikatz
• PCHUNTER
• RagnarLocker
• RCLONE
• ROUTERSCAN
• S3BROWSER
• SombRAT
• WARPRISM
• ZAP

Information

• https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

Other Information

Uuid

ccffbbd0-8a98-4c6d-a384-1fe9a7e822f3

Last Card Change

2021-05-15