Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- APT actors are leveraging custom toolsets for initial access and command and control, indicating advanced operational tradecraft.
- Multi-stage infection chain highlights the need for proactive threat hunting capabilities in organizations.
- Defensive measures must evolve to counteract persistent techniques used for maintaining access and lateral movement.
Executive Summary
During our investigation of the recent ‘PhantomNet’ campaign attributed to APT actors, we observed a sophisticated attack chain characterized by multiple stages, each leveraging proprietary tools and techniques. Initial access was achieved through spear-phishing emails containing weaponized documents, leading to a robust execution strategy. Our analysis revealed a well-defined command and control (C2) infrastructure, enabling the actors to maintain persistence and execute lateral movement throughout the compromised environments. This post aims to detail our findings on the TTPs (Tactics, Techniques, and Procedures) employed by the threat actor, the impact of the attack, and recommendations for detection and mitigation.
Initial Access
The attack commenced with spear-phishing emails that contained malicious attachments, typically Word documents exploiting the Microsoft Office ‘Exploitation of Remote Code Execution (CVE-XXXX-XXXX)’ vulnerability. Users who opened these documents were prompted to enable macros, which executed a hidden PowerShell script that downloaded the next stage payload from a remote server. The file being delivered was commonly found at %TEMP%\tempdata.exe. Our analysis of the campaign also uncovered a use of Phishing Techniques such as impersonating trusted entities, which increased the likelihood of user engagement.
Execution & Persistence
Upon successful execution, the implant associated with this campaign established a connection back to the actor’s C2 server, utilizing base64 encoding for obfuscation. This allowed the actors to execute remote commands delivered via a HTTP/S protocol. The sample we examined set up persistence through the registry key modification in HKCU\Software\Microsoft\Windows\Current\CurrentVersion\Run with an entry named ‘Windows Update Service’, ensuring the malware would execute upon user logon. Our investigation identified the implant exhibiting behavior consistent with the Persistence Techniques outlined in the MITRE ATT&CK framework.
Command and Control
The C2 infrastructure utilized by the actors was sophisticated, employing fast-flux techniques to obfuscate their IP addresses and servers. Our investigation revealed the use of domain generation algorithms (DGA) to create subdomains that were used for communication. This made blocking the malicious domains more challenging. We also observed encrypted data exfiltration over the HTTPS protocol, making the detection of anomalous network behavior more difficult for security teams. The command and control interactions revealed that the actors were utilizing a variety of techniques to maintain communications, including periodic beaconing set at intervals of 5-10 minutes, allowing them to remain undetected.
Lateral Movement & Discovery
Following initial compromise and the establishment of C2 communication, the actors employed lateral movement techniques outlined by the Pass-the-Hash method to navigate through the network. Our investigation revealed the presence of tools commonly associated with lateral movement, such as Mimikatz, facilitating the extraction of credentials from the memory of compromised machines. The actors also executed various Discovery Techniques, including enumeration of network shares and user accounts using commands like net user and net group, enabling them to expand their foothold within the environment effectively.
Impact & Objectives
The ultimate objective of the ‘PhantomNet’ campaign appeared to revolve around data exfiltration and potential reconnaissance for future attacks. During the analysis, we noted substantial amounts of sensitive data being siphoned off, which indicated that the threat actor was closely monitoring their victims’ operations. Targets were primarily in sectors such as finance and healthcare, suggesting that the actors were interested in harvesting sensitive information for financial gain or strategic advantage. The presence of backdoors and credential harvesting tools suggested preparation for long-term access.
MITRE ATT&CK Mapping
- T1041 – Exfiltration Over Command and Control Channel: Encrypted data exfiltration using C2 communication.
- T1071 – Application Layer Protocol: Utilization of HTTP/S for C2 traffic.
- T1086 – PowerShell: Use of PowerShell scripts for initial execution and command execution post-compromise.
Detection Opportunities
- Monitor for unusual outbound traffic to newly established or known malicious domains, especially those demonstrating DGA patterns.
- Implement endpoint detection and response solutions that can analyze registry modifications and PowerShell script executions.
- Employ network traffic analysis to identify anomalies, such as unusual command and control callouts or base64 encoded traffic.
Analyst Notes
This investigation of the ‘PhantomNet’ campaign showcases advanced persistent threats leveraging sophisticated methods for both initial access and sustained presence within environments. The use of multi-faceted techniques poses challenges for traditional detection mechanisms. As such, it is crucial for organizations to enhance their defense strategies with proactive threat hunting, robust endpoint monitoring, and continuous education for users to recognize and mitigate social engineering attacks. Long-term remediation will involve thorough network segmentation and a rigorous review of user account permissions to limit the impact of similar future incidents.
Source: Original Report