Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- We observed a highly coordinated phishing campaign targeting employees of various sectors.
- The malware utilized a multi-stage infection chain leveraging both PowerShell and a custom backdoor.
- Indicators of compromise (IOCs) included specific
file hashes,URLs, and registry modifications that are crucial for detection.
Executive Summary
During our investigation of a recent sophisticated phishing campaign, we discovered that the actor employed a custom backdoor alongside several evasion techniques to maintain persistence within compromised environments. The initial entry vector was a spear-phishing email, containing a malicious attachment that was pivotal in executing the attack chain. This multi-stage process allowed the actor to obtain sensitive data and establish a strong foothold within the targeted networks.
Initial Access
The initial access vector was identified as a targeted spear-phishing email sent to key personnel within organizations. The email cleverly masqueraded as a legitimate request for information prompting recipients to download an attached macro-enabled document. Upon enabling macros, the document executed a series of PowerShell commands that downloaded additional payloads from a remote server. The specific PowerShell commands utilized encoded commands ensuring the evasion of standard detection mechanisms.
Execution & Persistence
Once the backdoor was deployed, the actor utilized techniques to ensure persistence within the compromised system. The malware created a scheduled task, located at C:\Windows\System32\Tasks\MyTask, which was designed to execute every time the system logged on. This was achieved through the use of the Task Scheduler, ensuring that the implant would survive reboots and provide the actor continual access to the system.
Command and Control
Our analysis revealed that the backdoor implemented various command and control (C2) mechanisms. The malware communicated over HTTP with a domain that was dynamically generated, complicating detection efforts. During the investigation, we identified several domain names used for C2 activities, including malicious-domain[.]com, which followed a predictable pattern, allowing for rapid identification of additional domains being utilized. The communication fell under a predetermined structure that typically matched the behavior of known C2 frameworks.
Lateral Movement & Discovery
During lateral movement, the actor employed the Windows Admin Shares to access other machines within the network, leveraging stolen credentials that were captured by the backdoor. This tactic, corresponding to the MITRE ATT&CK technique **T1077 – Windows Admin Shares**, allowed for lateral access across the infrastructure without raising alarms. The actor utilized tools such as PSEXEC and WMIC for executing commands on remote machines, which further facilitated the discovery of additional network resources.
Impact & Objectives
The primary objective of the campaign appeared to be data exfiltration, as the actor’s access to sensitive information was possibly aimed at intellectual property theft. We noted attempts to interact with databases and file servers hosting critical business data, aligning with their goals of maximizing impact. The presence of keyloggers and screen-capturing functions within the implant also indicated a strong interest in ongoing surveillance and data capture.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access via phishing emails.
- T1059.001 – PowerShell: Execution of commands through PowerShell scripts.
- T1071 – Application Layer Protocol: Usage of HTTP for command and control communication.
- T1077 – Windows Admin Shares: Lateral movement using administrative shares.
Detection Opportunities
- Monitor for unusual outbound HTTP traffic to newly registered domains.
- Implement monitoring of PowerShell command execution, especially encoded commands.
- Detect the creation of scheduled tasks that resemble known malicious patterns.
Analyst Notes
This case illustrates the evolving tactics of threat actors and underscores the importance of behavioral detection mechanisms over static signatures. The reliance on custom malware and sophisticated evasion techniques emphasizes the need for continuous monitoring and real-time analysis in identifying compromised systems. Businesses should bolster their email filtering solutions and invest in user training to recognize phishing attempts. Continuous threat hunting will be critical in mitigating these threats moving forward.
Source: Original Report