Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Multi-stage infection process leveraging phishing and malicious macro execution.
- Extensive use of Lateral Movement techniques to propagate within the network.
- Identified Command and Control infrastructure with multiple fallback mechanisms.
Executive Summary
During our investigation of a recent malware incident, we observed a sophisticated attack chain that demonstrated the actor’s tactical versatility. The malware leveraged various techniques to achieve initial access, maintain persistence, and ultimately execute its payload. Our analysis revealed that the threat actor utilized social engineering to trick users into enabling malicious macros, a common tactic that serves as the springboard for subsequent stages of compromise. Through meticulous analysis, we traced the malware’s command and control communication, revealing the comprehensive nature of the actor’s operations.
Initial Access
The initial access vector we analyzed centered around a phishing campaign, wherein the actor distributed a document containing malicious macros. Upon opening the document, users were prompted with a message urging them to enable macros. Once macros were enabled, script execution commenced, downloading the initial payload from a remote server. The initial dropper, a .exe file named malicious_dropper.exe, was saved to %TEMP%\tempfile.exe, initiating the compromise.
Execution & Persistence
The dropper, once executed, utilized the technique T1059.001 – PowerShell, employing PowerShell scripts to maintain persistence on the compromised system. Our analysis revealed the dropper altered the Windows Task Scheduler, creating a new task under C:\Windows\System32\Tasks\MaliciousTask to ensure the malware executed on system startup. This tactic reflected the actor’s intention to secure persistence irrespective of user activity.
Command and Control
Subsequent to establishing persistence, the malware initiated communication with its command and control (C2) infrastructure. The sample we examined connected to a dynamic DNS service, using an encrypted channel to communicate via HTTP requests to a domain such as maliciousdomain.com. This domain dynamically resolved to multiple IP addresses, circumventing traditional blocking methods. Our investigation noted that the actor deployed fallback C2 mechanisms, showcasing a robust infrastructure capable of evasion and redundancy.
Lateral Movement & Discovery
Once inside the network, the malware exhibited lateral movement capabilities via the T1075 – Pass the Hash technique. By leveraging stolen credentials, the threat actor gained elevated access to other systems within the domain. We observed attempts to enumerate domain users and groups, utilizing commands such as net user and net group. This phase was critical for the actor, allowing them to expand their foothold across the network.
Impact & Objectives
The ultimate objective of this operation appeared to be exfiltration of sensitive data. We noted attempts to access directories typically housing confidential information, such as user databases and financial records. The actor’s preliminary actions suggested intent to deploy additional payloads for data exfiltration. During our investigation, we intercepted communications confirming that the actor had succeeded in collecting and packaging sensitive data for transfer back to their C2 server.
MITRE ATT&CK Mapping
- T1566 – Phishing: Utilizing deceptive emails to trick users into opening a malicious document.
- T1059.001 – PowerShell: Execution of PowerShell scripts to manipulate the Windows environment for malicious purposes.
- T1075 – Pass the Hash: Acquiring credentials to maneuver laterally within the network.
Detection Opportunities
- Monitor for execution of PowerShell commands with unusual parameters, especially those invoking scripts.
- Implement logs and alerts for creation or modification of scheduled tasks under
C:\Windows\System32\Tasks\. - Utilize endpoint detection and response solutions to identify anomalous network traffic patterns indicative of C2 communications.
Analyst Notes
This case underscores the need for continuous user education on the dangers of enabling macros from unverified documents. Furthermore, enhancing monitoring capabilities around scheduled tasks and lateral movement activities can bolster defenses against similar tactics. Ongoing threat intelligence sharing will also play a crucial role in understanding and mitigating the evolving landscape of such multi-stage attacks.
Source: Original Report