Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The Sentry malware utilizes sophisticated social engineering tactics for initial access.
- Command and Control (C2) infrastructure shows resilience with frequent IP rotation.
- Persistence mechanisms employed include registry modifications and scheduled tasks.
Executive Summary
During our investigation of the Sentry malware campaign, we observed a well-coordinated attack chain characterized by multi-faceted tactics aimed at infiltrating organizations in the financial sector. This report documents the entire attack lifecycle from initial access to impact, providing insights into the malware’s capabilities and indicators of compromise (IOCs).
Initial Access
Our analysis revealed that the initial access vector for Sentry involved phishing emails crafted with social engineering techniques aimed at leveraging a trusted source. The emails contained a malicious attachment, typically a .zip file, which when extracted led to an executable file named Invoice_Payment.exe. The actor used a combination of spoofed email addresses and enticing subject lines related to invoicing to increase the success rate of the phishing attempt. Once executed, this dropper downloaded additional payloads from a remote server.
Execution & Persistence
After successful execution, the Sentry malware deployed itself into the system through the Windows Management Instrumentation (WMI) and established persistence by creating registry entries. Specifically, we noted the creation of entries under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that executed the malware on startup. Additionally, Sentry registered a scheduled task under the Task Scheduler named ‘SystemMaintenance’ with a trigger to run at boot, ensuring it maintained foothold even after system reboots.
Command and Control
The Sentry malware employed a robust C2 framework which utilized a combination of HTTP and HTTPS for communication. Our investigation identified several callback URLs that resolved to a dynamic DNS service, allowing the actor to frequently change their infrastructure. The payload sent beacons data every 30 minutes, reporting system environment details and waiting for further commands. Analysis of network traffic confirmed that the malware was designed to encrypt these communications to evade detection.
Lateral Movement & Discovery
Once Sentry established itself in the network, it sought to propagate laterally using the Windows Admin Shares. By leveraging stolen credentials obtained through keystroke logging features, the implant executed remote commands on connected machines within the network, specifically targeting systems with administrative privileges. We discovered traces of net use commands, where the malware connected to shares on other hosts. Discovery tactics included querying the Active Directory structure to identify other high-value targets for follow-on attacks.
Impact & Objectives
The actor’s primary objective appeared to be data exfiltration and credential harvesting, particularly targeting sensitive financial data. Our analysis of the network traffic indicated substantial data being transmitted back to the C2 infrastructure, including spreadsheets, user credentials, and emails. Furthermore, we identified attempts to deploy secondary payloads designed to escalate privileges within the environment, revealing a long-term interest in establishing a persistent presence.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access accomplished through crafted phishing emails.
- T1003 – Credential Dumping: Utilized keystroke logging to harvest credentials.
- T1071 – Application Layer Protocol: Encrypted C2 traffic using HTTP/HTTPS.
- T1021 – Remote Services: Leveraged Windows Admin Shares for lateral movement.
Detection Opportunities
- Monitor for unusual registry keys under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Employ network traffic analysis to detect patterns consistent with C2 communications.
- Analyze email metadata for signs of spoofing and common phishing indicators.
Analyst Notes
This investigation revealed critical insights into the operational methods of the Sentry malware campaign. Continuous monitoring and threat intelligence updates are essential given the sophistication of this malware. Organizations should enhance user awareness training around phishing to mitigate the risk of initial access and implement advanced endpoint detection and response (EDR) solutions to alike detect persistence and lateral movement behaviors. Further, collaboration with intelligence sharing initiatives could provide timely threat updates that might prevent future infections.
Source: Original Report