Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Actors employed multi-faceted phishing techniques to gain initial access.
- The custom payload used for execution showed advanced evasion techniques to bypass security mechanisms.
- Effective lateral movement was observed using legitimate credentials, indicative of careful planning and reconnaissance.
Executive Summary
During our investigation of a recent campaign targeting financial institutions, we uncovered a sophisticated attack methodology focusing on credential theft. The attackers utilized tailored phishing emails containing malicious attachments to lure victims, followed by the deployment of a custom malware payload that facilitated extensive reconnaissance and lateral movement within the victims’ networks. This analysis will dissect the attack chain from initial access through to impact, highlighting the TTPs leveraged by the adversary.
Initial Access
Our analysis revealed that the initial access vector involved a well-crafted phishing email, with the subject line posing as an overdue invoice. The email contained a malicious document that, when opened, triggered a macro to execute embedded PowerShell commands. This technique is associated with the T1059.001 – PowerShell execution method. The exact file path for the downloaded payload observed during our investigation was %TEMP%\invoice.docm. The bait was enticing enough that it led to a high success rate in terms of victim interaction.
Execution & Persistence
Upon execution, the payload executed a series of obfuscated PowerShell commands designed to retrieve additional scripts from a remote server. These scripts were responsible for establishing persistence by creating a new scheduled task under the name SystemUpdate, enabling the implant to maintain access even after system reboots. This implementation directly aligns with the T1053.005 – Scheduled Task technique. Our team detailed the scheduled task configuration, located at C:\Windows\System32\Tasks\SystemUpdate, which was set to run every hour, indicating a persistence mechanism aimed at long-term access.
Command and Control
The implant communicated with its command and control (C2) server via HTTPS, employing a domain generation algorithm (DGA) to disguise the real C2 addresses. During our investigation, we recorded several domains that were used periodically to evade detection, with the observed domain structure often ending in non-indicative suffixes. The C2 traffic was characterized by sporadic POST requests containing encrypted data packets, typical of the T1071.001 – Application Layer Protocol technique. This added layer of obfuscation kept the malicious traffic under the radar of standard detection systems.
Lateral Movement & Discovery
Following the establishment of initial foothold, the actor leveraged the acquired credentials from the compromised user accounts to move laterally across the network. Utilizing T1021.001 – Remote Services: RPC, they accessed other machines within the domain while executing commands that traversed through legitimate admin tools like PsExec and WMIC. A notable command executed was psexec \TARGET-MACHINE -u admin -p password cmd.exe, allowing them to gain remote shell access on target machines without needing further exploitation. Consequently, this opened pathways for data exfiltration and additional reconnaissance.
Impact & Objectives
The primary objective observed from this campaign was exfiltration of sensitive user information, including credentials and financial data. Additionally, we noted clear efforts to deploy additional malware strains as part of a secondary objective to establish a wider footprint within the network. The results from their lateral movement led to the access of the privileged admin accounts, significantly increasing the threat to the organization. Threat actors aimed not just to steal data, but to prepare for future attacks using backdoors for sustained access.
MITRE ATT&CK Mapping
- T1566.001 – Phishing: Spear Phishing Attachment: Phishing campaign leveraging tailored documents to gain initial access.
- T1059.001 – PowerShell: Execution of malicious commands via obfuscated PowerShell to drop payloads.
- T1053.005 – Scheduled Task: Utilized scheduled tasks for persistence across reboots.
- T1071.001 – Application Layer Protocol: Encrypted C2 communication over HTTPS to camouflage malicious traffic.
- T1021.001 – Remote Services: RPC: Leveraged for lateral movement and access to other systems within the network.
Detection Opportunities
- Monitor for unusual PowerShell execution patterns, including the execution of scripts from
%TEMP%and scheduled tasks associated with unusual names. - Implement DNS monitoring for domains with DGA patterns to identify potential C2 communications early.
- Review logs for failed login attempts and lateral movement activity, especially with administrative privileges.
Analyst Notes
This investigation underscores the necessity of user education regarding phishing tactics, highlighting the importance of deploying effective email filtering and endpoint detection solutions. The use of multi-factor authentication (MFA) across all accounts, especially for admin accounts, remains a critical defense against lateral movement and credential theft. Monitoring network traffic for common C2 patterns can enhance detection capabilities significantly.
Source: Original Report