⚠️ THREAT ALERT: Closing time
The “Closing Time” operation leverages a multi‑stage exploit chain that initiates with a spear‑phishing email containing a malicious Microsoft Office document macro. The macro executes a PowerShell payload that performs in‑memory deobfuscation of a base64‑encoded Cobalt Strike beacon, which then conducts a network reconnaissance sweep and injects a reflective DLL into the LSASS process using the technique described in CVE‑2022‑30190 (the “Windows Print Spooler Remote Code Execution” vector) to harvest credential hashes. Subsequently, the payload drops a signed DLL masquerading as a legitimate Windows Update component; the DLL abuses the newly disclosed CVE‑2023‑23397 (Windows Win32k Remote Code Execution) to gain SYSTEM privileges and writes the “Closing Time” ransomware binary to the %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup directory, establishing persistence via a scheduled task that triggers at system boot.
Once privileged execution is achieved, the ransomware enumerates all NTFS volumes, encrypts files using a custom AES‑256‑CBC routine with a per‑file random IV, and then RSA‑2048 encrypts the symmetric keys with the attacker’s public key embedded in the binary. The encryption routine incorporates a known flaw where the IV is not authenticated, making it susceptible to an IV‑reuse attack that could potentially enable selective decryption if the attacker’s private key is ever recovered. The ransom note, named “Closing_Time.txt”, is dropped in each directory and also posted to a hidden SharePoint site that the malware creates via the Microsoft Graph API, leveraging the previously harvested OAuth tokens obtained through CVE‑2023‑21716 (Azure AD token forgery) to exfiltrate the encrypted key material for later decryption services.
Mitigation strategies should begin with the immediate restriction of macro execution policies and deployment of Office 365 Advanced Threat Protection to block known malicious macro signatures. Patching is critical: all endpoints must be updated to address CVE‑2022‑30190, CVE‑2023‑23397, and CVE‑2023‑21716, and Microsoft should be urged to release an out‑of‑band update for the “Closing Time” ransomware’s DLL drop location. Network defenses must include outbound connection filtering to prevent Cobalt Strike beacon traffic, enforcement of least‑privilege for service accounts, and segmenting credential stores from user workstations. Endpoint Detection and Response (EDR) solutions should be tuned to alert on reflective DLL injection into LSASS, scheduled task creation with “System” context, and anomalous file writes to the Startup folder, while backups must be verified for integrity and stored offline to guarantee rapid recovery without paying ransom.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments