Detailed Analysis of a Sophisticated Phishing Campaign Leveraging Remote Access Trojans

Daniel Osei — SOC Lead & Malware Analyst

Key Takeaways

• Identified phishing emails leveraging social engineering techniques to gain initial access.
• Malware implant employed multiple persistence mechanisms, including scheduled tasks and registry modifications.
• Robust command and control network, with beaconing patterns indicating exfiltration of sensitive data.

Executive Summary

During our recent investigation into a sophisticated phishing campaign, we observed a structured and calculated approach by the threat actor to breach targeted organizations. The analysis revealed a multi-stage attack that began with carefully crafted phishing emails designed to deceive employees into executing malicious attachments. The payload, a variant of a Remote Access Trojan (RAT), exhibited advanced capabilities, including persistence and lateral movement within the victim’s infrastructure. This report provides an in-depth breakdown of the tactics, techniques, and procedures (TTPs) employed throughout the attack lifecycle.

Initial Access

Our investigation highlighted that initial access was facilitated through phishing emails that contained enticing subject lines and seemingly legitimate attachments. The emails pretext involved urgency, prompting users to open attachments labeled as invoices. The attached files, when executed, dropped an executable file in the user’s profile directory, specifically at C:\Users\%USERNAME%\AppData\Local\Temp\.exe. This executable was designed to perform post-exploitation measures immediately upon execution.

Execution & Persistence

Upon execution, the implant initiated several processes to establish persistence within the compromised environment. Our analysis revealed that it utilized the Registry Run keys, specifically HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to ensure it started with every user logon. Additionally, a scheduled task was created under C:\Windows\System32\Tasks\, allowing periodic execution of the malware every few hours. This redundancy made detection challenging, as it utilized built-in Windows functionality.

Command and Control

The implant exhibited robust command and control (C2) communication patterns, establishing connections to a set of compromised domains. The primary communication was established over HTTPS, making it difficult to detect through traditional network monitoring tools. Our analysis identified beaconing traffic occurring at regular intervals, typically every 30 minutes. The C2 server responded to the implant with commands to retrieve additional payloads or exfiltrate data, indicating a dual-purpose approach from the actor.

Lateral Movement & Discovery

Next, the threat actor leveraged the compromised credentials to perform lateral movements throughout the network. We observed the use of T1075 – Pass the Hash techniques, allowing the actor to access other systems without needing to know the plaintext password. Tools configured for this purpose included Windows Management Instrumentation (WMI) and PsExec, facilitating the rapid spread of the infection across the network. Discovery methods included enumeration of network shares and user accounts, providing the actor with a clear map of available resources.

Impact & Objectives

The primary objectives of the threat actor appeared to be data exfiltration and potential lateral access to high-value assets. The malware collected sensitive information, such as user credentials and financial records, and packaged it for exfiltration. Our investigation revealed attempts to access Active Directory (AD) databases, indicating the actor’s intent to escalate privileges further and target system administrators. This breach not only threatened the organization’s operations but also exposed sensitive customer data, raising the stakes significantly.

MITRE ATT&CK Mapping

• T1566 – Phishing: Initial access vector utilizing deceptive emails
• T1059 – Command-Line Interface: Execution method through command shell
• T1071.001 – Application Layer Protocol: Web Protocols: C2 communication over HTTPS
• T1075 – Pass the Hash: Lateral movement technique
• T1018 – Remote Service Session Hijacking: Leveraged for lateral movement

Detection Opportunities

• Monitor for unusual clustering of outbound traffic to newly accessed domains on the network, particularly over HTTPS.
• Implement detection for changes made to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run regarding suspicious entries.
• Utilize endpoint detection and response (EDR) solutions to capture and analyze process creation events for known malicious behaviors during lateral movement.

Analyst Notes

Throughout this investigation, we emphasized the need for improved user awareness around phishing attacks, as human factors are often the weakest link in cybersecurity. Additionally, employing a layered security approach can mitigate the risks from such sophisticated attacks, including implementing rigorous endpoint monitoring and comprehensive user training programs. Regular audits of network traffic and user behavior analytics can provide early warning signs of such attacks. The quick identification of abnormal activities could substantially minimize potential damage from similar future incidents.

Source: Original Report