VERY IMPORTANT

The Solar 4RAYS team investigated a cyberattack on an industrial company, uncovering that attackers exploited a vulnerability in DameWare Mini Remote Control to deliver malware and disable security protections. The NGC4020 group initially compromised systems in December 2022 using CVE-2019-3980. They deployed Java-based reverse shells, QuasarRAT, and custom malware to disable antivirus software. The attackers used a stolen expired code-signing certificate to load a malicious kernel driver. While they successfully disabled security controls, an error in task creation prevented further attack progression. The report provides technical details on the malware components and evasion techniques used.