Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- This analysis details a multi-step attack leveraging phishing emails to gain initial access.
- The malware employed in this attack showcased advanced persistence mechanisms through registry modifications.
- Command and control communication utilized a blend of HTTP and DNS tunneling to evade detection.
Executive Summary
This investigation centers on a sophisticated attack we traced back to a well-crafted phishing campaign that successfully bypassed multiple security layers. On examining the malware employed, we determined it utilizes various tactics to ensure access to compromised systems, maintain persistence, and facilitate lateral movement within the network. The overall method illustrates a clear understanding of the target environment’s defensive posture, indicating a highly motivated threat actor.
Initial Access
Our analysis revealed that the initial access vector was a targeted phishing email sent to a specific set of employees within the organization. The email appeared to be from a well-known supplier, containing a malicious link leading to a credential harvesting site. We noted the use of the Office 365 credential phishing tactic, which has become increasingly common due to the rise of cloud-based services. The phishing site was hosted on a compromised server and was designed to closely mimic legitimate login pages to deceive users into entering their credentials.
Execution & Persistence
Once the credentials were obtained, the actor accessed the organization’s Office 365 environment and deployed a dropper executable, which we identified as AgentTesla. This backdoor is known for its ability to capture keystrokes and exfiltrate sensitive data. Our investigation showed that the dropper executed a series of commands that modified registry keys at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to establish persistence. Specifically, a new entry was created to ensure that the dropper would execute upon the next user logon.
Command and Control
Following successful installation, we observed immediate attempts to establish a command and control (C2) connection. This was accomplished via HTTP requests to an external IP address, which had been registered mere days prior to the attack. The C2 infrastructure included multiple domains that implemented DNS tunneling to exfiltrate data stealthily. During our traffic analysis, we noticed that the malware attempted to obfuscate its communications by encoding HTTP requests and responses. This layering added an extra hurdle for security teams monitoring for suspicious traffic.
Lateral Movement & Discovery
After establishing persistent access, the actor initiated lateral movement to escalate privileges and gather further intelligence within the network. This process involved leveraging Windows Management Instrumentation (WMI) to query machines on the local subnet for user credentials, followed by attempts to access administrative shares. Additionally, the malware exploited Pass-the-Hash techniques using the extracted credentials to facilitate this movement. Notably, we monitored unusual login attempts to domain controllers indicating that the actor was attempting to gain access to higher-value assets.
Impact & Objectives
Ultimately, the objective of the attack appeared to center around data exfiltration, specifically targeting sensitive intellectual property and client data. During the analysis, we uncovered that the actor had systematically downloaded sensitive files that were subsequently transmitted over the C2 channels. Our review of the exfiltrated files indicated a loss of proprietary data, which may severely impact the organization’s competitive edge and client trust. Moreover, the malicious implant had the potential to cause further damage by deploying additional payloads that could lead to ransomware deployment or extensive network disruption.
MITRE ATT&CK Mapping
- T1566 – Phishing: Malicious emails crafted to deceive recipients into providing credentials.
- T1071.001 – Application Layer Protocol: Web Protocols: Use of HTTP and DNS for command and control communication.
- T1059.001 – Command-Line Interface: Windows Command Shell: Use of command-line scripting for execution and lateral movement.
- T1021.001 – Remote Services: Remote Desktop Protocol: Attempted connection to domain controllers for privilege escalation.
Detection Opportunities
- Monitor for unusual user-agents or referrers in HTTP traffic that do not match established patterns.
- Implement behavioral analytics to identify anomalous registry changes, especially to persistence keys.
- Utilize threat intelligence to block known malicious IP addresses and domains associated with credential harvesting.
Analyst Notes
This incident underscores the critical need for multifaceted security strategies that encompass user training, robust email filtering solutions, and proactive monitoring of network traffic. Organizations should regularly conduct phishing simulations to better prepare employees against such attacks and foster a culture of security awareness. Additionally, strengthening endpoint detection and response capabilities will play a pivotal role in mitigating future risks associated with similar attacks.
Source: Original Report