Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- The attack leveraged credential stuffing as the initial access vector.
- Our analysis identified the use of a custom C2 architecture to exfiltrate sensitive data.
- The threat actor employed multiple persistence mechanisms, including registry modifications and scheduled tasks.
Executive Summary
During our investigation into a recent series of incidents, we uncovered an attack campaign that utilized credential stuffing to gain access to corporate accounts. Once inside, the threat actor employed a custom-built malware implant designed specifically to facilitate lateral movement and data exfiltration. Our analysis of the samples revealed a complex command and control (C2) setup, primarily run through proxy servers, which effectively obscured the actor’s identity. This report chronicles the attack phases from initial access through to impact, providing insights into the TTPs (Tactics, Techniques, and Procedures) observed during the investigation.
Initial Access
The initial access vector utilized in this attack was a classic credential stuffing technique. The threat actor harnessed breached username and password pairs from a variety of public and dark web repositories. Our analysis revealed that they targeted several cloud services, capturing valid user credentials en masse. The compromised accounts allowed the actor to gain foothold within environments, where they could escalate privileges unnoticed.
Execution & Persistence
Once valid credentials were acquired, the actor deployed a dropper, embedded within a phishing email attachment. The dropper executed a PowerShell script that downloaded the primary payload from a remote server. This payload was a sophisticated custom malware variant engineered for stealth, capable of executing various functions such as keylogging, screen capturing, and additional payload delivery. To ensure persistence, the actor created a new scheduled task under the Windows Task Scheduler, which executed the malware on system startup. We observed modifications made to the registry, specifically at HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, where keys pointing to the malware executable were present.
Command and Control
The command and control infrastructure showcased the actor’s emphasis on stealth and redundancy. The C2 communication relied heavily on HTTP/S traffic routed through several proxy servers across various geolocations. During our analysis, we detected beaconing behavior at intervals of 10 to 15 minutes, suggesting a well-planned data retrieval cycle. The C2 server response included instructions for downloading additional modules, confirming a multi-stage infection process. The sample we examined demonstrated the ability to respond dynamically to commands while maintaining a low profile on the infected systems.
Lateral Movement & Discovery
After executing the initial payload, our investigation showed that lateral movement was achieved through credential harvesting techniques and exploiting trusts between organizational accounts. The implant utilized Windows Management Instrumentation (WMI) to execute commands on other connected machines. This lateral movement technique was particularly effective, allowing the actor to pivot from one compromised account to another. Additionally, the malware performed reconnaissance using PowerShell commands to enumerate users, groups, and shares, giving the attacker crucial insights into the network structure.
Impact & Objectives
The actor’s objectives appeared to be two-fold: data exfiltration and maintaining long-term access. Sensitive data was exfiltrated in stages, with initial targets being file shares containing financial and personal information. Our analysis revealed that over 500MB of data was successfully sent to the C2 infrastructure before the organization initiated incident response protocols. Furthermore, the implant’s design and operational methodology suggested a capability for future operations, indicating that the actor intended to maintain persistent access to the compromised environment.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: The actor utilized HTTP/S for C2 communication.
- T1078 – Valid Accounts: The initial access was gained through credential stuffing techniques exploiting compromised accounts.
- T1059.001 – PowerShell: Command and Scripting Interpreter: PowerShell: The malware utilized PowerShell for script execution and lateral movement.
- T1021.001 – Remote Services: Remote Desktop Protocol: The actor used RDP for lateral movements across the network.
Detection Opportunities
- Monitor for unusual login behavior, especially from locations inconsistent with user history.
- Implement detections for modifications to registry keys that are associated with malicious persistence mechanisms.
- Use endpoint detection and response (EDR) tools to flag suspicious PowerShell activities and unauthorized usage of WMI for lateral movements.
Analyst Notes
The analysis highlights the critical need for organizations to implement robust password policies and multi-factor authentication (MFA) to mitigate the risks associated with credential stuffing attacks. Furthermore, ongoing user training regarding phishing attacks can significantly decrease the likelihood of successful initial access. Continuous monitoring and threat hunting are essential strategies to detect lateral movements and unusual data exfiltration behaviors early in their lifecycle.
Source: Original Report