Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Investigation revealed a multi-stage attack leveraging Cobalt Strike for lateral movement.
- Initial access was obtained through phishing emails targeting company employees.
- Command and Control communications were observed using encrypted traffic to avoid detection.
Executive Summary
In this detailed analysis, we explore a sophisticated malware attack that unfolded using a combination of common attack vectors, including phishing and remote access tools. Our investigation focused on a sample of malware associated with a recent wave of intrusions noted across various sectors, particularly finance and healthcare. The adversary employed multiple tools and techniques to maintain persistence, evade detection, and ultimately achieve their objectives.
Initial Access
During the investigation, we observed that initial access was achieved through phishing emails containing malicious links designed to deliver a convincing phishing page. A JavaScript-based payload masquerading as a legitimate document was executed when users clicked on the link, allowing the adversary to drop a variant of Agent Tesla onto the compromised machine. This second-stage dropper was capable of keylogging and credential harvesting, which established a foothold within the victim’s network.
Execution & Persistence
The sample we examined exhibited mechanisms to ensure persistence by creating scheduled tasks that allowed it to execute at system startup. Specifically, the following scheduled task was created during execution: C:\Windows\System32\Tasks\Microsoft\Windows\Update\Windows Update. We further found that the malware injected itself into explorer.exe, which facilitated evasion by blending in with common system processes. This allowed the actor to operate unnoticed while extracting sensitive information.
Command and Control
Our analysis revealed that the C2 server utilized for communication was well-crafted, involving frequent domain flux techniques. The malware connected to multiple dynamic domains that were resolved to the same IP address using DNS over HTTPS (DoH) for enhanced obfuscation. Data exfiltration was achieved using HTTPS, which made detection by firewalls and IDS systems significantly more challenging. The use of command-and-control endpoints mirrored established patterns used by sophisticated threat actors.
Lateral Movement & Discovery
Once a foothold was established, the actor employed tools like Cobalt Strike to facilitate lateral movement within the network. By exploiting known vulnerabilities in SMB communications, they executed T1059.001 – Command and Scripting Interpreter: PowerShell to utilize PowerShell for further reconnaissance, which yielded detailed information about internal systems. Discovery techniques revealed the presence of local administrator accounts, and network shares were enumerated to map out the environment effectively.
Impact & Objectives
Throughout our analysis, it became apparent that the primary objectives of the actor included data theft and potential ransomware deployment. The victim organization was targeted for sensitive financial information, including banking credentials and personal identifiable information (PII) of employees. The structured extraction of these data artifacts culminated in a significant operational disruption, highlighting the severe implications of such attacks on critical infrastructure.
MITRE ATT&CK Mapping
- T1566 – Phishing: The actor initiated the attack via phishing emails containing malicious links.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Used PowerShell scripts for lateral movement and post-exploitation activities.
- T1071.001 – Application Layer Protocol: Web Protocols: Communications with C2 utilized encrypted HTTPS traffic for exfiltration.
Detection Opportunities
- Monitor network traffic for anomalous DNS queries, especially those using dynamic DNS providers.
- Implement endpoint detection solutions that can recognize unusual scheduled tasks and service behaviors.
- Correlate alerts involving PowerShell execution with user behavior to identify potential misuse.
Analyst Notes
This investigation underscores the importance of continuous monitoring of phishing attempts and the adoption of layered security comprising both preventive and detection measures. It is critical for organizations to prioritize security awareness training for their personnel to mitigate the risk of falling victim to social engineering attacks. Additionally, implementing strict controls over lateral movement through network segmentation greatly reduces the potential for attackers to spread once inside the perimeter.
Source: Original Report