Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Phishing emails were utilized to achieve initial access, leveraging social engineering principles to deceive targets.
- The malware deployed included a dropper that installed a ransomware payload, indicating a multi-stage attack chain.
- Command and Control (C2) communications utilized encrypted channels for data exfiltration, revealing advanced evasion techniques.
Executive Summary
This analysis delves into a sophisticated phishing-based ransomware attack that we observed targeting several organizations over a recent period. The malefactors employed social engineering tactics to lure victims into executing malicious payloads, leading to significant operational impacts. Our investigation encompasses the entire attack chain, detailing the methods used for initial access, execution, persistence, and the resultant impact on compromised systems.
Initial Access
Initial access was achieved through a well-crafted phishing email that contained a malicious attachment masquerading as an important document. We noted the email used a realistic sender address, exploiting trust relationships within the organization. The attachment, when opened, executed a PowerShell script embedded in a document that triggered a series of commands aimed at downloading the ransom dropper from a remote server. This aligns with the MITRE technique T1566 – Phishing, showing that social engineering remains a preferred entry vector.
Execution & Persistence
Upon execution, the dropper deployed the ransomware payload in the form of a compiled binary located at C:\ProgramData\SystemUpdater\updater.exe. Our analysis revealed that this dropper not only executed the ransomware but also initiated a persistence mechanism by creating a scheduled task at C:\Windows\System32\Tasks\SystemUpdater. This task was configured to run the ransomware binary every time the system booted, ensuring that even system reboots would not disrupt the actor’s established foothold.
Command and Control
In the C2 phase, the compromised hosts established communication with a remote server using an encrypted HTTPS channel to evade detection. The C2 traffic exhibited patterns associated with T1071.001 – Application Layer Protocol: Web Protocols, making use of common web ports. During one aspect of our investigation, we captured traffic logs showing connections to a domain that resolved to an IP associated with known malware distribution. The actor utilized DNS over HTTPS (DoH) to mask their traffic further, complicating our ability to analyze their communications effectively.
Lateral Movement & Discovery
Lateral movement within the network was executed using Windows Management Instrumentation (WMI) calls, specifically leveraging T1047 – Windows Management Instrumentation. The actor used WMI to query systems for active sessions and deployed the ransomware to high-value targets without raising alarms. We noted the use of credentials harvested from memory to access administrative shares over SMB, illustrated by activity involving the \192.168.1.5 emp share where further payloads were dispatched.
Impact & Objectives
The primary objective of the attack was to exfiltrate sensitive data while simultaneously encrypting critical files across the organization. During our investigation, we discovered that a substantial number of files were affected, including databases and personal employee information. The ransomware employed a robust encryption algorithm, demanding a ransom payable in cryptocurrency, thereby further obfuscating the actor’s identity. The operational impact owing to downtime and data loss was significant, with recovery efforts expected to exceed several weeks.
MITRE ATT&CK Mapping
- T1566 – Phishing: The method of initial access through deceptive communications.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Used for executing scripts during the exploitation phase.
- T1071.001 – Application Layer Protocol: Web Protocols: Employed for C2 communications.
- T1047 – Windows Management Instrumentation: Used for lateral movement between systems.
Detection Opportunities
- Implement an email filter to detect and quarantine phishing attempts based on keywords and sender reputation.
- Monitor for anomalous scheduled task creation, particularly those pointing to uncommon directories.
- Utilize network IDS to analyze traffic patterns for encrypted connections to suspicious external domains.
Analyst Notes
This attack highlights the pressing need for robust security awareness training among employees, as well as the importance of monitoring malicious behavior post-initial access. Detection mechanisms should prioritize phishing detection and provide visibility into scheduled task modifications. Additionally, organizations should adopt strict controls around WMI and SMB to mitigate lateral movement opportunities for adversaries.
Source: Original Report