UNC2447

UNC2447 is a financially motivated threat group / uncategorized cluster tracked by Mandiant and linked across intrusions by shared SOMBRAT and Cobalt Strike BEACON infrastructure observed in five intrusions between November 2020 and February 2021. Mandiant reported the group exploited the SonicWall SMA 100 series zero-day CVE-2021-20016 prior to patching and deployed the SOMBRAT backdoor in intrusions that culminated in FIVEHANDS ransomware extortion. Mandiant also observed evidence of UNC2447-affiliated actors previously using RAGNARLOCKER ransomware, and noted suspected overlap between HELLOKITTY and FIVEHANDS affiliate activity, while cautioning that not all SOMBRAT or FIVEHANDS incidents necessarily map to UNC2447 due to tool sharing and affiliate program dynamics. The group has been observed targeting organizations in Europe and North America. Observed tradecraft includes use of WARPRISM, a PowerShell dropper that loads payloads directly into memory; Cobalt Strike BEACON HTTPSSTAGER for persistence and HTTPS C2; and SOMBRAT, a 64-bit Windows backdoor with plugin-based architecture that communicates with configurable C2 over DNS, TLS-encrypted TCP, and potentially WebSockets. Mandiant described a hardened SOMBRAT variant with stripped compiler metadata, XOR-encoded inlined strings, and launcher/resource files typically installed under C:\ProgramData\Microsoft. UNC2447 has also been observed using ADFIND, BLOODHOUND, MIMIKATZ, PCHUNTER, RCLONE, ROUTERSCAN, S3BROWSER, ZAP, and 7ZIP during reconnaissance and exfiltration, and may tamper with Windows security settings, firewall rules, and antivirus protection. FOXGRABBER, a utility for harvesting Firefox credential files, was also associated with this activity. Mandiant reported UNC2447 monetized intrusions through FIVEHANDS ransomware and additional pressure tactics including threats of media exposure and offering stolen data for sale on hacker forums. Cisco later assessed with moderate-to-high confidence that its May 2022 intrusion was conducted by an initial access broker with ties to UNC2447, Lapsus$, and Yanluowang ransomware operators. In that incident, the actor used vishing and MFA fatigue to obtain VPN access, then deployed tools including LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, created persistence, dumped credentials, moved laterally, and exfiltrated limited data; Cisco stated no ransomware was deployed. Cisco also described UNC2447 as having a nexus to Russia and being known for ransomware and double extortion. Known aliases directly provided in the content are limited to UNC2447.