Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The attack utilized a phishing vector for initial access, leveraging a malicious document to deploy the payload.
- Persistence mechanisms employed consisted of registry modifications and scheduled tasks to maintain a foothold.
- Command and Control (C2) communications were obfuscated through custom protocols, complicating detection efforts.
Executive Summary
In our recent investigation into a ransomware incident affecting several organizations across multiple sectors, we meticulously analyzed the entire attack chain to unveil the tactics, techniques, and procedures (TTPs) employed by the threat actor. The sample we examined revealed a sophisticated operation that utilized multiple vectors for gaining and maintaining access, exfiltrating data, and executing the malicious payload. Our findings shed light on the effective use of custom tooling and the adaptation of known techniques to achieve the actor’s objectives.
Initial Access
The attack began with a targeted phishing campaign aimed at employees in the finance and operations departments of the victim organizations. Phishing emails contained a malicious attachment disguised as an invoice, specifically named Invoice_2023.docx. Our analysis revealed that this document exploited vulnerabilities in Microsoft Word, executing a PowerShell command embedded in the document via macros when opened. This initial access step is indicative of a clear strategy aligning with the MITRE ATT&CK technique T1566.001 – Phishing:malicious attachment.
Execution & Persistence
Upon execution, the embedded PowerShell script initiated a sequence of commands that downloaded the main payload—a variant of the XYZ Ransomware—from a remote server. The payload was stored in a temporary directory, C:\Users\Public\Temp\random.exe, and executed immediately. To ensure persistence, the actor created a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malicious, allowing the ransomware to launch at startup. Furthermore, a scheduled task was created under C:\Windows\System32\Tasks\malicious_task, which triggers the payload upon system boot, a technique aligned with T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder.
Command and Control
Throughout the investigation, we observed that the ransomware employed a unique communication mechanism to establish its command and control. The sample utilized encrypted HTTP requests to communicate with a C2 server hosted on a domain known for its involvement in other cybercriminal activities. This was demonstrated through the dynamic DNS services employed by the actor, encasing commands within user-agent fields, as outlined in the MITRE technique T1071.001 – Application Layer Protocol: Web Protocols. The persistence of these connections was intended to obscure the non-standard patterns in traffic flow, complicating detection by security appliances.
Lateral Movement & Discovery
Following the successful deployment and execution of the ransomware, we tracked lateral movement attempts within the network. The implant utilized Windows Management Instrumentation (WMI) to probe for additional hosts, trying to enumerate user groups and shared resources. Specifically, it accessed \
Source: Original Report