Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Exploit of Office macros as an initial delivery vector for the XXMalware campaign.
- Utilization of remote PowerShell scripts for post-exploitation tasks.
- Effective C2 server evasion through domain generation algorithms.
Executive Summary
In our recent investigation into the XXMalware campaign, we observed a sophisticated attack methodology centered on malicious Microsoft Office documents. The actor leveraged social engineering tactics to deliver these documents via phishing emails targeted at key personnel within an organization. Our analysis revealed a multi-stage infection process, incorporating initial access via Excel macros, followed by a series of command and control (C2) maneuvers designed to obscure their presence and maintain persistence within the environment.
Initial Access
The initial access stage commenced with the actor sending a well-crafted phishing email that contained a link to download a malicious Excel file. Upon opening the attachment, users were prompted to enable macros, which is a common tactic exploited to gain execution privileges. The malicious code, which we traced to the first stage payload, used the VBA scripting capabilities to download additional components from the C2 server. Our investigation identified the file path `C:\Users\Public\Documents\malicious.xlsm` as the drop location for the malicious document.
Execution & Persistence
Execution was achieved through the manipulation of Microsoft Excel’s macro functionality. The payload executed a PowerShell command in the background, invoking a remote script located at `http://malicious-server.com/installer.ps1`. The PowerShell script was responsible for downloading the next stage of the malware. In terms of persistence, the actor employed a Registry Run key at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run\XXMalware, which ensured that the malware would execute upon user login. This mechanism is consistent with the **Registry Run Keys** technique in the MITRE ATT&CK framework.
Command and Control
Upon establishing a foothold, the implant initiated communication with the actor’s C2 infrastructure. We observed that the malware utilized a domain generation algorithm (DGA) to evade detection. The consistent use of a variety of generated domains made it challenging for traditional detection tools to identify and block the C2 traffic effectively. We recorded several domains, such as `example1.com` and `example2.com`, showcasing the actor’s operational security measures. The C2 communication was further obfuscated via TLS, allowing the actor to exfiltrate data without raising immediate alarms.
Lateral Movement & Discovery
Following successful execution and establishing persistence, the malware initiated lateral movement within the network. Our analysis revealed that the actor leveraged **Windows Management Instrumentation (WMI)** to conduct reconnaissance and identify targets for lateral movement. This was particularly evident when we discovered the use of the command `WMIC /node:
Source: Original Report