Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The attack vector utilized a phishing email with a malicious attachment that led to initial access.
- Our analysis uncovered that the malware employs multiple persistence mechanisms through Registry modifications.
- Command and Control (C2) communication is executed via an obfuscated HTTP request to an external server.
Executive Summary
During the investigation of a recent phishing campaign, we observed the deployment of a sophisticated malware strain branded as MALICIOUS_EXECUTION_SHELL. This malware targets enterprise environments, leveraging social engineering to obtain initial access through well-crafted emails. The threat actor’s objective appears to be data exfiltration alongside potential lateral movement within infected networks. Our analysis revealed various tactics and techniques aligned with the **MITRE ATT&CK** framework that undermine organizational defenses with a stealthy attack vector.
Initial Access
The phishing campaign was initiated through targeted emails sent to high-ranking personnel within the organization, often referred to as Business Email Compromise (BEC). The emails contained an attachment disguised as a legitimate document. Upon opening this file, the embedded macros prompted the victim to enable content, thus executing the initial malware payload. Our examination of the document revealed VBA scripts that downloaded the MALICIOUS_EXECUTION_SHELL executable from an external server, thus completing the initial access phase of the attack.
Execution & Persistence
Following successful infection, the malware executed through the creation of a scheduled task to ensure persistence, with the task configured to run at user logon. This was observed through the creation of entries in the C:\Windows\System32\Tasks directory. Additionally, we noted modifications to the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, where the actor deposited autorun keys to reinstate the malware after system reboots. These persistence mechanisms demonstrate a deliberate effort to maintain a foothold within the target environment.
Command and Control
The C2 infrastructure was characterized by its evasion techniques. The sample communicated with an external IP address through a series of obfuscated HTTP requests, using random user-agents to mimic legitimate traffic and avoid detection by both network-based and host-based intrusion detection systems. Our analysis showed that the C2 traffic was heavily encrypted, employing a custom protocol which further complicates immediate threat detection and analysis.
Lateral Movement & Discovery
Post-exploitation activities revealed that the actor conducted lateral movement across the network via legitimate administrative tools such as PsExec and WMIC. We identified commands executed under the context of C:\Windows\System32\cmd.exe, indicating key attempts at reconnaissance activities to map out the network topology and identify valuable assets. The malware also harvested credentials from memory using techniques consistent with **Credential Dumping (T1003)**, facilitating unauthorized access to other systems.
Impact & Objectives
The overarching goal of the threat actor appears to be the theft of sensitive corporate data. During our investigations, we analyzed the presence of logging and monitoring agents targeting file shares and database systems which suggests a focused effort on exfiltration of proprietary information. Additionally, we discovered evidence of remote desktop services being manipulated, potentially aiming to pivot to other accounts or machines to further spread the infection.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access was gained through a crafted email with a malicious attachment.
- T1203 – Exploitation for Client Execution: The malware relied on macro execution in a Word document.
- T1053.005 – Scheduled Task/Job: The sample created scheduled tasks for persistence.
- T1071 – Application Layer Protocol: C2 communication utilized HTTP to mask intent.
- T1021.002 – Remote Services: RDP: Used for lateral movement post-compromise.
Detection Opportunities
- Implement email filtering to block known malicious attachments targeting your high-value users.
- Monitor for unusual scheduled task creations and registry modifications associated with autorun behaviors.
- Utilize behavioral analysis tools to identify suspicious outbound HTTP requests that deviate from normal patterns.
Analyst Notes
It is imperative for organizations to not only fortify their defenses against phishing attempts but also ensure robust monitoring and response strategies are in place to detect unusual network activities post-infection. Regular training sessions to educate staff about recognizing phishing attempts can mitigate risks significantly. Moreover, instituting strict access controls and identity management policies will assist in minimizing the potential impact of successful breaches.
Source: Original Report