Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The malware identified utilizes advanced keylogging techniques and C2 exfiltration methods.
- Initial access was executed through a phishing email that bypassed traditional defenses.
- Late-stage lateral movement tactics included the exploitation of remote desktop services.
Executive Summary
During our analysis of a recent keylogger malware identified in the wild, we observed an elaborate attack chain that revealed sophisticated techniques used by the threat actor to secure initial access, persist within affected systems, and ultimately exfiltrate sensitive data. The implant we examined provided the actor with continuous remote access and allowed for the collection of keystrokes, facilitating data theft and network reconnaissance. Our investigation uncovered a wealth of details regarding the attacker’s tactics, techniques, and procedures (TTPs), providing insights into their operational methods.
Initial Access
The attack commenced with an expertly crafted phishing email targeting the finance department of a medium-sized enterprise. Our analysis showcased that the email contained a malicious attachment masquerading as an invoice in PDF format. The attachment, once executed, dropped a Windows-based keylogger known as LoggerGo into the system namespace. The file path associated with the dropper was C:\Users\Public\Documents\NewInvoice.pdf, a strategically chosen location to avoid detection by security solutions focused on commonly monitored directories.
Execution & Persistence
Once executed, LoggerGo established a persistent presence by setting itself to run at startup. Analysis revealed that the malware modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, inserting the value InvoiceProcessor with the path to the dropper. This behavior was indicative of the Registry Run Keys / Startup Folder technique, allowing the malware to maintain persistence even after system reboots. Moreover, the implant employed techniques to disable security mechanisms, specifically targeting endpoint protection solutions, thus ensuring minimal hindrance from security controls.
Command and Control
Our analysis of network traffic during the infection lifecycle illustrated a complex C2 infrastructure. The malware initiated outbound connections to a set of IP addresses known to be associated with the actor’s previous activities. Using a combination of HTTP and HTTPS requests, the beaconing occurred every 10 minutes – a tactic designed to minimize detection by EDR solutions. The encoded data included stolen keystrokes and screenshots, facilitating robust ongoing surveillance of the victim’s activities. We also noted that the C2 server employed asymmetric encryption for command transmission, further complicating decryption efforts by network defenders.
Lateral Movement & Discovery
With its foothold firmly established, LoggerGo enabled the actor to proceed with lateral movement across the internal network. The techniques employed included the use of legitimate administrative tools such as PsExec, which allowed the actor to execute commands on remote systems using stolen credentials harvested from the compromised machine. This method is characterized under the T1077 – Windows Admin Shares technique, showcasing the actor’s preference for leveraging existing Trust relationships within the target environment. During our investigation, we identified multiple instances of the compromised credentials being used to access file shares across the domain.
Impact & Objectives
The overarching objective of the operation seemed to be the exfiltration of sensitive employee and financial data. We observed that the malware collected not only keystrokes but also sensitive documents, including spreadsheets containing financial records. The actor’s ultimate goal appeared to be gathering intelligence for potential future financial fraud or ransom demands. Traffic logs demonstrated that significant data packets were sent to a C2 server located in a country with limited cybersecurity cooperation, complicating any potential attribution efforts.
MITRE ATT&CK Mapping
- T1566 – Phishing: Initial access achieved through targeted phishing emails containing malicious attachments.
- T1060 – Registry Run Keys / Startup Folder: Persistence was ensured through registry modification to execute malware on startup.
- T1077 – Windows Admin Shares: Lateral movement facilitated via stolen credentials and execution of remote administrative tools.
Detection Opportunities
- Monitor for suspicious registry key modifications in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Implement behavioral detection for known malicious traffic patterns associated with the actor’s C2 infrastructure.
- Leverage user and entity behavior analytics (UEBA) to identify anomalies in credential usage across the network.
Analyst Notes
This incident underscores the necessity for heightened vigilance regarding phishing attempts and the importance of security awareness training for all employees. Furthermore, organizations must ensure robust endpoint protection solutions are in place and regularly updated to recognize emerging threats. The chain of events demonstrated in this investigation illustrates a clear need for integrated defense strategies, blending user education, proactive detection methods, and rapid incident response protocols.
Source: Original Report