Deep Dive into Recent APT Malware Campaign Targeting Financial Services

Alex Morgan — Threat Intelligence Analyst

Key Takeaways

• APT actors exploit Office document vulnerabilities for initial access.
• Implementation of hidden persistence mechanisms via regsvr32 and scheduled tasks.
• Use of custom Command and Control (C2) infrastructure for data exfiltration.

Executive Summary

In a recent cybersecurity investigation, we observed a sophisticated malware campaign targeting financial services entities. Our analysis revealed a multi-stage attack that began with a series of phishing emails containing malicious Office documents. Upon execution, the payload leveraged known vulnerabilities to deploy a backdoor. This backdoor facilitated persistent access and enabled data exfiltration through a custom C2 server.

Initial Access

The attack chain commenced with a phishing campaign whereby the actors sent legitimate-looking emails to employees in financial organizations. These emails contained weaponized attachments shaped as Microsoft Word documents that exploited the CVE-2020-0601 vulnerability. Upon opening the document, macros were enabled, and the malicious payload was executed. We identified that the initial payload was a dropper that downloaded additional modules from a remote server.

Execution & Persistence

During the investigation, we analyzed the execution methods employed by the malware. The dropper utilized regsvr32.exe to execute a script that extracted the main payload from the dropper executable. Our in-depth analysis revealed that the actor implemented hidden persistence mechanisms by creating a scheduled task under C:\Windows\System32\Tasks\ which ensured the malware would execute every time the system rebooted. Additionally, we noted modifications to the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to facilitate automatic startup without user intervention.

Command and Control

The C2 infrastructure was particularly noteworthy. Our findings indicated that the malware communicated with a set of IP addresses, controlled by the actors, using HTTP and HTTPS protocols. This allowed the malware to receive commands and transmit stolen data back to the actors. Traffic analysis of the C2 communications revealed the use of base64 encoding to obscure the data being sent, which further complicated detection efforts. The beaconing interval was set at 5 minutes, indicating an intent to maintain a stealthy operation.

Lateral Movement & Discovery

Following the initial compromise, our analysis showed that the malware incorporated techniques for lateral movement within the network. Using Mimikatz, the actor harvested credentials from memory, which were later used to access other machines within the internal network. We identified that the malware employed the SMB protocol (T1075) for lateral movement, facilitating access to administrative shares. These tactics enabled the attackers to map the network extensively, making it easier to target high-value assets for sensitive data extraction.

Impact & Objectives

The primary objective of this APT campaign appeared to be data theft. Our findings suggested that the actors aimed to extract sensitive financial information, including bank credentials, customer data, and proprietary information. The impact assessment revealed that several financial organizations faced potential breaches that could lead to financial loss and reputational damage. The operation demonstrated a high degree of sophistication and meticulous planning, emphasizing the actors’ intent to navigate complex security postures.

MITRE ATT&CK Mapping

• T1566 – Phishing: Utilized email-based phishing to deliver malware.
• T1027 – Obfuscated File or Information: Used base64 encoding to disguise C2 traffic.
• T1071 – Application Layer Protocol: C2 communication conducted over HTTP/HTTPS.
• T1075 – Pass the Hash: Lateral movement technique used to exploit credential theft.

Detection Opportunities

• Implement monitoring to detect unusual regsvr32.exe execution patterns.
• Utilize threat intelligence feeds to correlate IP addresses associated with known malicious C2 servers.
• Deploy advanced analytics to monitor for scheduled tasks creation that does not align with organizational norms.

Analyst Notes

The complexity of this APT operation underscores the ongoing threat landscape facing financial institutions. Continuous monitoring, user training, and timely patch management remain pivotal in defending against such targeted attacks. Analysts should prioritize anomaly detection in network traffic and execution behaviors to preempt malicious activities.

Source: Original Report