Nina Kovacs — Exploit Research Analyst
Key Takeaways
- A sophisticated exploit chain leveraging phishing emails facilitated initial access to the corporate network.
- The malware deployed by the actor utilized advanced techniques for persistence and lateral movement, evading standard detection methods.
- Command and control communication patterns indicate a well-structured infrastructure, potentially hinting at a state-sponsored threat group.
Executive Summary
During our investigation, we uncovered a multi-stage infection chain that revealed the intricate tactics, techniques, and procedures (TTPs) employed by a sophisticated threat actor. The analysis began with a suspicious email reported by a user, which contained a malicious attachment that executed a sophisticated dropper. This dropper led to further exploitation, allowing the actor to achieve persistence and establish command and control (C2) communications. The attack highlighted the importance of advanced threat detection solutions and constant vigilance in corporate environments.
Initial Access
The initial access vector was identified as a phishing email containing an embedded malicious document. The document exploited vulnerabilities in Microsoft Office applications, specifically targeting CVE-2021-40444. When the victim opened the document and enabled macros, the embedded VBA script executed, leading to the download of a malicious executable. The dropper we examined was located at %TEMP%\malicious_dropper.exe, which downloaded and executed additional payloads leveraging PowerShell commands.
Execution & Persistence
The malicious executable was observed to unpack a secondary payload, which we identified as a sophisticated backdoor variant dubbed SilverShell. During our analysis, we noted that this implant established persistence through the Windows Registry by creating a new key at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\CurrentVersion\Run\SilverShell. This ensured the malware would execute upon user login, effectively maintaining a foothold within the environment. Furthermore, the implant utilized stealth techniques such as process injection and DLL sideloading, complicating detection efforts.
Command and Control
The C2 infrastructure we identified revealed a pattern indicative of advanced operational security practices. The implant initially beaconed to a domain we traced back to a bulletproof hosting provider, using custom HTTPS requests to mitigate network detection techniques. We observed an exchange of encrypted data that utilized hardcoded keys for the communication, making it difficult for conventional network monitoring solutions to detect malicious activity. The interaction followed a predictable pattern of periodic beacons every 30 minutes, which could have easily evaded standard anomaly detection thresholds.
Lateral Movement & Discovery
After establishing a presence on the initial host, the attacker employed T1078 – Valid Accounts to facilitate lateral movement. Our analysis revealed that the actor leveraged stolen credentials via Mimikatz and employed WinRM for executing commands on other systems. Using the command winrm -s -insecure ., several hosts in the network were compromised within hours. Discovery actions were initiated to enumerate domain users and system information using T1087 – Account Discovery and T1046 – Network Service Scanning, ensuring the attacker had a comprehensive map of the network before escalating privileges.
Impact & Objectives
The primary objective behind the attack appeared to align with data exfiltration and intelligence gathering. Counteracting this, the attacker implemented a network discovery phase, collecting sensitive data from databases and file servers, and preparing it for exfiltration operations. We utilized NetFlow data and internal logs to analyze outbound network traffic patterns that coincided with the examination period. Ultimately, this led to identifying approximately 15 GB of sensitive data exfiltrated to a remote C2 server before our incident response team was able to sever the connection.
MITRE ATT&CK Mapping
- T1193 – Spear Phishing Link: Exploitation of user interaction for initial access via malicious email.
- T1059.001 – PowerShell: Utilization of PowerShell for executing malicious commands.
- T1071.001 – Application Layer Protocol:** Use of HTTP/S for C2 communications.
- T1086 – PowerShell: Employment of PowerShell scripts for automating lateral movement.
- T1040 – Network Sniffing: Eavesdropping and collecting sensitive data.
Detection Opportunities
- Implement strict email filtering policies to block known malicious attachments and phishing attempts.
- Deploy endpoint detection response solutions capable of identifying anomalous PowerShell usage and process injections.
- Monitor outbound network traffic for unusual connections and data exfiltration patterns, especially towards less common domains.
Analyst Notes
Our investigation serves as a crucial reminder of the evolving tactics used by threat actors. The combination of initial filtering mechanisms and advanced detection capabilities is essential for mitigating risks associated with such complex attack vectors. Continuous training for employees regarding phishing and social engineering threats remains imperative. In parallel, organizations should strengthen their incident response protocols to ensure rapid containment and recovery from potential breaches.
Source: Original Report