Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The actor utilized a multi-staged attack involving advanced social engineering techniques.
- Persistence mechanisms included leveraging scheduled tasks and registry modifications.
- Command and Control (C2) infrastructure was characterized by rapid IP rotation to evade detection.
Executive Summary
During our investigation of a recent intrusion, we observed a multi-faceted attack orchestrated by a threat actor likely affiliated with a well-known cybercriminal group. This campaign exemplified the use of advanced techniques for initial access, execution, and lateral movement, indicating a high level of sophistication. Our analysis revealed that the actor employed a combination of social engineering and malware deployment strategies to compromise the target environment, establish persistence, and execute their objectives.
Initial Access
Initial access was gained through a meticulously crafted phishing email that contained a malicious attachment. The document, named Invoice_2023_Q2.docx, exploited macros to execute a PowerShell command, which in turn downloaded a payload from a compromised web server. The payload identified was a variant of the Emotet malware, known for its capabilities to serve as a dropper for additional malicious software.
Execution & Persistence
Upon successful execution, the malware dropped a trojanized version of Qakbot, which established persistence via a series of scheduled tasks located at C:\Windows\Tasks\. We noted that the malware also created registry entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure execution on system startup. The persistent nature of this implant allowed the actor to maintain access over extended periods while minimizing detection possibilities.
Command and Control
The command and control (C2) communication was characterized by the use of encrypted HTTPS traffic. The sample beaconed out to multiple IP addresses across various geographic locations, making use of polyglot domains to further obfuscate its true intent. Our analysis revealed a C2 infrastructure that employed rapid IP rotation and dynamic DNS services, complicating efforts to block malicious traffic. Notably, we observed that the beacons included exfiltrated data embedded within the request, indicating a focus on data theft.
Lateral Movement & Discovery
Once the initial foothold was established, the actor employed several lateral movement techniques. Utilizing the Windows Remote Management Protocol (WMIC), the implant queried other machines on the network. This allowed the threat actor to gather information on user accounts and operating systems. Additionally, we observed the use of PsExec to execute commands remotely on other hosts, enhancing the spread of the malware throughout the enterprise environment.
Impact & Objectives
The primary objective of the threat actor focused on data exfiltration, specifically targeting sensitive financial records and customer data. The malware’s data exfiltration routines were designed to compress and encrypt files before staging them for transfer, significantly reducing the likelihood of detection by traditional security measures. Furthermore, the actor demonstrated a willingness to establish lateral movement for deeper network penetration, likely in preparation for future ransom demands.
MITRE ATT&CK Mapping
- T1566 – Phishing: The threat actor delivered malware via a phishing email with a malicious document.
- T1059.001 – PowerShell: Malware executed PowerShell commands for downloading additional payloads.
- T1203 – Exploitation for Client Execution: Macro-enabled document exploited to gain initial execution.
- T1071.001 – Application Layer Protocol: Web Protocols: Used for command and control over HTTPS.
- T1021.001 – Remote Services: Remote Management Software: Lateral movement through WMIC.
Detection Opportunities
- Monitor for execution of PowerShell commands originating from Office document macro execution.
- Implement logging for new scheduled tasks and registry modifications under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run. - Utilize threat intelligence feeds to identify and block known malicious C2 domains and IP addresses.
Analyst Notes
This case underscores the evolving tactics employed by sophisticated threat actors and highlights the necessity of a multi-layered defense strategy. Enhancing staff training on phishing and maintaining up-to-date threat intelligence will significantly improve defenses against such threats. Continuous monitoring and logging of anomalous activities could further bolster detection capabilities.
Source: Original Report