Data exfiltration via Rclone

Attack technique

Technique name: Exfiltration Over Web Service: Rclone Tool

MITRE ATT&CK

• Tactic: Exfiltration
• Technique: Exfiltration Over Web Service

Technique description
Rclone is a versatile tool designed to synchronize files between machines and cloud storage services like Google Drive, Dropbox, Amazon S3, and MEGA. It is a powerful open-source command-line program with multi-threading capabilities that enable users to manage and migrate their cloud content easily. The tool has been associated with ransomware campaigns of Ransomware-as-a-Service operations, and threat actors are using it to facilitate the exfiltration of sensitive data from compromised networks.

Insights from threat intelligence
In recent years, rclone has emerged as a widely used tool for ransomware groups seeking to exfiltrate and steal data during security breaches. Ransomware operators are particularly fond of the tool, and it has been observed being utilized by various groups, including popular affiliates such as Lockbit, as well as legacy affiliates such as Conti and Darkside. One notable instance where the tool was used occurred in May 2021, when DarkSide ransomware operators leveraged rclone to transfer approximately 100 GB of data exfiltrated from Colonial Pipeline, a major fuel pipeline operator in the United States, to their own servers.

Seen in the wild since: 2020

References

• Emotet Strikes Again - LNK File Leads to Domain-Wide Ransomware - The DFIR Report
• Dead or Alive? An Emotet Story - The DFIR Report
• Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware

Threat hunting theses breakdown

Thesis 1: High volume of outbound traffic using Rclone

Relevant data sources

• Proxy Logs

Thesis explanation
Detects potentially unauthorized exfiltration of sensitive data from a compromised network by identifying high volume of outbound HTTP/s traffic of more than 10 MBs over a 1-hour interval, associated with the Rclone tool, through analysis of the user agent's characteristics.

Blind spots

• rclone executions where the flag --user-agent is used to masquerade the user-agent header. That flag usage isn’t common based on public reference sources (blog posts, reports etc)
• Usage of rclone for non-HTTPs protocol activity, such FTP (isn’t common)

Recommended investigation flow

• Review the outbound packets, the destination FQDN and the size of the exfiltration.
• Review the target hosting provider. Does the organization usually use this hosting provider?
• Review the user who is behind the activity. Does his job stand for the activity?
• Review the initiated process. Correlate the source IP with an EDR / Windows Event Logs to determine the process which initiated the activity. While It’ll obviously be Rclone, reviewing the command line can give additional indications for the investigations.
  • Does the binary a renamed version of Rclone (hence, isn't named Rclone but something else).
  • Does the configuration used in the command line were used before by the organization before?
  • Does the binary execution involve commonly abused flags known to be associated with threat actors?

Thesis 2: Rclone tool characteristic behaviour

Relevant data sources

• EDR Process Creation

Thesis explanation

Detects Name-based executions of rclone.exe and rclone (Unix version). Usage of the original binary name has been seen in the wild and is common. Alternatively renamed binaries of Rclone using a combination of commonly abused unique flags and exfiltration commands.

Blind spots

• Renamed binaries of Rclone without commonly abused flags usage in the command line

Recommended investigation flow

• Does the command line perform outbound network requests?
  Note: Since Rclone can be used for local drive sync operations, execution without a remote network might be put to a local sync rather than an exfil to a remote.
• Does the binary a renamed version of Rclone (hence, isn't named Rclone but something else)?
• Does the configuration template used in the command line were used before by the organization before?
• Does the binary execution involve commonly abused flags known to be associated with threat actors?
• Review the command line history from the same CLI session.
• Review the user's role and his responsibilities, does his role might be associated with the usage of tools like Rclone?

Hunting queries

https://gist.github.com/axon-git/58e13cd27f9623425cb6a1875a6d86a9

Hunters content

• Suspected Data Exfiltration Using Rclone
• Execution of Rclone Tool Characteristics