Deep Dive into the XX Malware Campaign: Analyzing the Tactics, Techniques, and Procedures

Alex Morgan — Threat Intelligence Analyst

Key Takeaways

• Attacks leveraged T1193 – Spear Phishing for initial access to organizations.
• Persistence achieved through the use of scheduled tasks and Windows services.
• Command and Control infrastructure utilized dynamic DNS to obfuscate tracking.

Executive Summary

During our investigation of the XX malware campaign, we observed a sophisticated actor targeting multiple sectors through spear phishing emails. The malware, which we identified as XX, employs various tactics to achieve persistence and lateral movement, ultimately leading to data theft and disruption. Our analysis revealed a complex attack chain that begins with initial access via malicious attachments, followed by multiple phases of execution, exploration, and data exfiltration.

Initial Access

The initial infection vector for this campaign can be traced to T1193 – Spear Phishing. The actors deployed highly crafted emails that masqueraded as legitimate communications, enticing users to download an attachment that contained the malicious payload. This payload, upon execution, dropped additional components to maintain access. We recorded several instances of the file path C:\Users\Public\Documents\malicious.docx, indicating a common drop location utilized by the actor.

Execution & Persistence

Once executed, the malicious document exploited vulnerabilities in Microsoft Office applications (tracked as CVE-XXXX-XXXXX) to execute a PowerShell script embedded within. Our analysis of the dropped files revealed the creation of a scheduled task at C:\Windows\System32\Tasks\WindowsUpdater, configured to execute every hour, establishing persistence. Additionally, the actor used the creation of a Windows service, with a name like UpdataService, allowing rapid execution upon system boot.

Command and Control

The malware establishes a robust command and control (C2) channel using a multi-layered approach. Initially, the communications were observed to be directed towards a dynamic DNS service, aiming to obscure the true origin of the C2 servers. The C2 communications utilized encrypted HTTPS packets, leveraging the legitimate domain updates.example.com for camouflage. We also noted usage of T1071 – Application Layer Protocol for command and control, exploiting common HTTP/S protocols to evade detection.

Lateral Movement & Discovery

After establishing a foothold in the environment, our investigation revealed that the actor employed several techniques for lateral movement. Utilizing T1021.002 – SMB/Windows Admin Shares, the malware attempted to access administrative shares across the network. The required credentials were typically harvested through credential dumping techniques, notably targeting LSASS memory and using tools like Mimikatz. The paths \\C$ and \\ADMIN$ were frequently observed during our analysis, indicating successful lateral traversal.

Impact & Objectives

The primary objective behind the XX malware campaign appeared to be data exfiltration, leading to financial and reputational damage for the targeted organizations. The actors utilized T1041 – Exfiltration Over Command and Control Channel to transmit sensitive data. During the investigation, we discovered evidence of compressed archives containing sensitive files being sent to the C2 server. The command curl -X POST was frequently seen in the log files, confirming the use of HTTP POST requests to exfiltrate data securely.

MITRE ATT&CK Mapping

• T1193 – Spear Phishing: Initial access via phishing emails containing malicious attachments.
• T1059.001 – PowerShell: Execution of malicious scripts through PowerShell.
• T1071 – Application Layer Protocol: Command and control using HTTP/S protocols.
• T1021.002 – SMB/Windows Admin Shares: Lateral movement across network shares.
• T1041 – Exfiltration Over Command and Control Channel: Exfiltration of data through established C2.

Detection Opportunities

• Monitor for anomalous email traffic patterns indicative of T1193 – Spear Phishing attempts.
• Analyze scheduled tasks for newly created tasks pointing to suspicious scripts or executables.
• Implement network traffic analysis to identify unusual connections to dynamic DNS services.

Analyst Notes

This campaign underscores the importance of robust email filtering solutions and proactive endpoint detection measures. Ensuring that patch management processes are in place and that users are educated on phishing risks can significantly mitigate the threat posed by such advanced persistent threats. Continuous monitoring for unusual account activities and the use of least privileged access can diminish the actor’s ability to move laterally undetected.

Source: Original Report