Priya Nair — Digital Forensics Analyst
Key Takeaways
- Recent APT attacks utilize custom malware designed to evade detection and maintain persistence.
- Initial access often employs phishing campaigns with weaponized documents to drop malware.
- The attack chain demonstrates sophisticated use of T1071.001 – Application Layer Protocol: Web Protocols for command and control communication.
Executive Summary
Throughout our investigation of a recent advanced persistent threat (APT) campaign, we observed a series of techniques employed by the threat actor aimed at exfiltrating sensitive data while maintaining a low profile. Our analysis revealed that the attackers utilized a custom malware known as DropperX, which was delivered via a spear-phishing email containing a malicious attachment. We focused our examination on the behavior of this malware, its persistence mechanisms, and its communication patterns with command and control (C2) servers. This post details the findings from our deep dive into the attack’s lifecycle, uncovering the technical capabilities and goals of the threat actor.
Initial Access
We identified that the initial compromise was achieved through a phishing campaign that targeted high-level executives within the organization. Victims received an email with a subject line that purported to be about a business proposal. The attachment, named Proposal_2023.pptx, contained a malicious macro that, when enabled by the user, triggered a series of PowerShell commands designed to download DropperX from a remote server hosted on http://malicious-domain.com/payload.exe. Our analysis indicated that the macro was executed via the T1089 – Disabling Security Tools technique by disabling antivirus software before executing the dropper.
Execution & Persistence
Upon execution, DropperX created a process named dllhost.exe, which then extracted a secondary payload and executed it using the Windows T1505.003 – Subversion of Controls: Application Layer Protocol technique. The malware utilized the AppData directory for its file placement, specifically at C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hidden.exe, ensuring persistence across reboots. It also established a registry entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hidden to maintain load on system start. This indicated the actor’s intention to survive attempts to remove the implant.
Command and Control
For command and control communication, DropperX used encrypted HTTP requests to communicate with its server. During our inspection, we noted that the malware beaconed to http://malicious-domain.com/api/update every 5 minutes, showcasing how the attackers exploited T1071.001 – Application Layer Protocol: Web Protocols. The encoded payloads exchanged during these interactions were structured to remain unnoticed by common security appliances. We discovered that the C2 traffic was masked under legitimate HTTP headers, simulating benign web traffic and complicating detection efforts.
Lateral Movement & Discovery
After initial access and establishing persistence, the actors initiated lateral movement within the environment. Our logs indicated the use of T1075 – Pass the Hash, allowing them to move between systems using stolen NT LAN Manager (NTLM) hashes harvested during their reconnaissance phase. They targeted additional systems by exploiting an open remote desktop protocol (RDP) connection. The malware’s ability to execute net use commands was employed to access shared resources, showing sophisticated lateral movement tactics that took advantage of existing user privileges to access sensitive data across the network.
Impact & Objectives
The ultimate objective of the threat actor appeared to be data exfiltration. We uncovered evidence of sensitive documents being uploaded to a drop account controlled by the adversaries. Utilizing T1041 – Exfiltration Over Command and Control Channel, the malware compressed the data before sending it over the established C2 channel. The C2 server response included instructions for further enumeration of connected devices and potential targets for persistent access. This aspect of the attack emphasized the actor’s methodical approach to strategically compile sensitive information over time.
MITRE ATT&CK Mapping
- T1193 – Spear Phishing Link: The initial access was facilitated through spear-phishing emails containing malicious attachments.
- T1059.001 – Command and Scripting Interpreter: Windows Command Shell: PowerShell commands used to download and execute the malware were observed.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communications utilized encrypted HTTP requests to evade detection.
Detection Opportunities
- Monitor for unusual macro executions or suspicious PowerShell activity and enable logging for any PowerShell scripts.
- Establish honeypots within the environment to detect anomalous outbound HTTP traffic indicative of C2 communications.
- Implement a robust alerting system for any newly created persistence mechanisms, focusing particularly on startup directories and registry keys.
Analyst Notes
This investigation highlighted the importance of continuous monitoring and proactive measures in user training to avoid phishing traps, particularly for high-value targets. Further, we recommend enhancing endpoint detection and response (EDR) solutions tailored to identify behaviors typical of this actor’s methodologies, while ensuring that network segmentation is in place to mitigate lateral movement risks. As the threat landscape evolves, it is imperative to stay ahead through intelligence-driven defenses and continuous adaptation to emerging attack vectors.
Source: Original Report