Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The actor utilized phishing emails to deliver a malicious Excel document, exploiting the victim’s trust.
- Persistence was achieved through the creation of scheduled tasks and modification of registry keys.
- C2 communication was obscured via a series of DNS tunnels, making detection more challenging.
Executive Summary
This report details our analysis of a multi-stage malware attack conducted by a sophisticated actor. The attack leverages social engineering tactics to gain initial access, followed by the deployment of an implant that features multiple persistence mechanisms. Our investigation revealed the use of command and control (C2) communications embedded within DNS queries, effectively hiding the attacker’s presence while exfiltrating sensitive information and conducting lateral movement.
Initial Access
During the investigation, we observed that the initial access vector was a phishing campaign targeting employees of a financial services firm. The actor crafted a compelling email that appeared to come from a trusted partner, containing a link to a malicious Excel document hosted on a compromised legitimate website. The Excel file contained macro scripts designed to trigger automatic execution of the malware if the victim enabled macros.
Execution & Persistence
The sample we examined deployed a remote access Trojan referred to as DarkComet, which was established through the execution of the embedded macro. Once executed, it dropped several files into the C:\Users\Public\Documents\ folder. We noted the creation of a scheduled task named ‘UpdateService’ that ensured the persistence of the Trojan on system reboot.
Additionally, the actor modified registry entries to conceal the malware’s presence further. Key modifications were located in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\, which allowed the implant to execute upon user login, maintaining a foothold within the environment.
Command and Control
Our analysis uncovered that the C2 mechanism utilized by the actor was heavily reliant on DNS tunneling. The implant communicated back to the attacker’s infrastructure via DNS requests, embedding commands in the subdomains requested by the infected host. This method not only concealed the traffic but also utilized the legitimate internet communication protocols to bypass traditional network defenses.
The domains associated with the C2 were previously identified as benign, making filtering and detection considerably more difficult. This tactic aligns with the T1071.001 – Application Layer Protocol: Web Protocols technique outlined in MITRE’s ATT&CK framework.
Lateral Movement & Discovery
After establishing a foothold, the actor initiated lateral movement within the network by leveraging Windows Management Instrumentation (WMI). This allowed them to probe other systems for sensitive data and gain higher privileges without attracting much attention. The presence of tools such as Mimikatz was noted, which indicates the actor’s intent to harvest credentials from memory.
Furthermore, reconnaissance actions were executed to gather user information and share configurations using commands like net group and query user, revealing a broader view of the internal network landscape. This aligns with T1087.001 – Account Discovery: Local Account within MITRE ATT&CK.
Impact & Objectives
The ultimate objective of the actor appeared to be data exfiltration, specifically targeting sensitive financial data. The collected information from various users was compressed and encrypted before being sent back through the C2 channel. We also noted footprints indicating attempts to install additional payloads that could facilitate ransomware deployment as a further monetization strategy.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial phishing email using malicious Excel attachments.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Execution of macros for automated payload deployment.
- T1203 – Exploitation for Client Execution: Exploit of Excel’s macro capabilities.
- T1071.001 – Application Layer Protocol: Web Protocols: Use of DNS for command and control communication.
- T1087.001 – Account Discovery: Local Account: Gathering account information for lateral movement.
Detection Opportunities
- Monitor for suspicious email activities, especially those containing unexpected attachments or links.
- Implement network traffic analysis to identify abnormal DNS queries potentially indicative of tunneling activities.
- Establish endpoint detection rules that can recognize persistence mechanisms such as suspicious scheduled tasks and registry modifications.
Analyst Notes
Our investigation highlights the evolving tactics employed by actors, particularly in their ability to blend in with legitimate operations. The reliance on DNS tunneling for C2 communication is especially concerning, as many organizations do not scrutinize DNS traffic closely. It is crucial for security teams to customize their detection strategies to account for these sophisticated techniques to effectively defend against such advanced threats.
Source: Original Report