Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Analysis of malicious Office macros reveals a sophisticated phishing campaign targeting enterprises.
- Malware deployment leveraged T1193 – Spear Phishing Link and T1203 – Exploitation for Client Execution techniques.
- Indicators of compromise (IOCs) highlight unique C2 patterns and persistence mechanisms.
Executive Summary
During our investigation of recent phishing incidents reported by multiple organizations, we discovered a specific strain of malware being deployed via malicious Office documents. The sample we examined employed embedded macros to facilitate initial access, leading to a robust set of tactics aimed at infiltrating enterprise networks. Our analysis focuses on how the actor used social engineering tactics to bypass user scrutiny and ultimately gain foothold within the organization’s infrastructure.
Initial Access
The initial access vector was primarily through email, where users received spoofed messages mimicking legitimate business communications. We observed that the emails contained links prompting users to download seemingly benign files, including Word documents. Once opened, these documents executed embedded macros that triggered the download of the actual payload from the actor’s command and control (C2) infrastructure. The specific indicator of this behavior was the presence of macros under AutoOpen() and Document_Open() functions, common hooks for malicious scripts within Office files.
Execution & Persistence
Upon successful execution, the malware employed the T1203 – Exploitation for Client Execution technique, exploiting vulnerabilities in Office that allowed the actor to execute arbitrary code directly. The implant would drop itself in the user’s profile directory, specifically under C:\Users\[User]\AppData\Local\Temp, using a randomized filename to avoid detection. To maintain persistence, it created a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with a value pointing to the dropper, ensuring it would execute each time the user logged in.
Command and Control
As we analyzed traffic patterns, it became evident that the malware was communicating with a well-defined C2 infrastructure. The traffic exhibited unusual DNS queries and SSL/TLS encrypted communications, routing through several hop points before reaching the final destination, likely to obfuscate the true C2 server. We identified multiple domain names that were used for beaconing, which were cycled out periodically to evade blacklisting efforts. The C2 server responded to commands at regular intervals, implying a structured protocol for payload updates and data exfiltration.
Lateral Movement & Discovery
Once the malware established a foothold, it employed various methods for lateral movement within the network. Utilizing T1075 – Pass the Hash and T1021.001 – Remote Services: RDP, the actor sought to escalate privileges. The behavior included executing PowerShell scripts to query domain user accounts, obtaining user credentials, and leveraging them for unauthorized access to additional machines. We documented instances of the malware attempting to access shared drives and sensitive files, indicating the actor’s focus on data harvesting.
Impact & Objectives
The objectives of this operation appeared to align with data exfiltration and potential ransomware deployment. Our analysis revealed that once critical systems were compromised, the actor attempted to collect sensitive data such as financial documents and employee credentials. Furthermore, we observed the implant’s code included features to install additional payloads that could potentially lead to more aggressive ransomware tactics. This highlighted the evolving nature of its objectives from initial infiltration to expanding the attack surface within an organization.
MITRE ATT&CK Mapping
- T1193 – Spear Phishing Link: targeted users via emails containing malicious downloads.
- T1203 – Exploitation for Client Execution: used to exploit vulnerabilities in the Office environment for first and subsequent payload execution.
- T1075 – Pass the Hash: utilized to move laterally within the network by leveraging stolen hashed credentials.
- T1021.001 – Remote Services: RDP: leveraged Remote Desktop Protocol to access and control various hosts in the environment.
Detection Opportunities
- Monitor for unusual Word document macro execution via
AutoOpen()andDocument_Open()triggers. - Implement rules to detect abnormal registry modifications under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Leverage DNS monitoring to identify known C2 domains associated with the observed malware.
Analyst Notes
This investigation underscores the persistence and adaptability of threat actors utilizing phishing as an attack vector. Continued vigilance is essential, including user awareness training and monitoring for signs of phishing attacks. Additionally, enhancing detection capabilities around macro execution and lateral movement can significantly mitigate the risk of similar attacks in the future.
Source: Original Report