Sarah Chen — Malware Reverse Engineer
Key Takeaways
- Identified a multi-stage malware attack indicative of advanced persistent threat (APT) tactics.
- Highlighted the use of Credential Dumping techniques to maintain access and move laterally across the network.
- Discovered Command and Control (C2) communication patterns leveraging DNS tunneling and HTTP beacons.
Executive Summary
In our analysis of a recent multi-stage malware incident attributed to a newly emerged APT actor, we observed a sophisticated attack chain comprising initial access via phishing, alongside a series of post-exploitation actions aimed at lateral movement, data exfiltration, and persistent control. The focus of this investigation is to delve deep into the TTPs employed by the threat actor, offering insights into detection and mitigation strategies.
Initial Access
The investigation began with the identification of an email campaign targeting an organization within the financial sector. Our analysis revealed that the actor used a well-crafted phishing email, which contained a malicious attachment disguised as a bank statement. Once the user opened the file, a macro embedded within the document executed the initial payload, deploying a dropper known as Emotet.
The dropper was responsible for downloading additional malicious payloads from the internet. We noted that the dropper utilized non-standard HTTP requests to obscure its initial call to the command server, an indication of the actor’s efforts to evade detection mechanisms. This initial access stage was instrumental in establishing a foothold within the victim’s environment.
Execution & Persistence
Upon successful execution, the Emotet dropper deployed a secondary payload, identified as Ryuk, which included lateral movement capabilities. Our review of the Windows event logs indicated the execution of commands such as wmic product get name and net user, showcasing the actor’s use of System Information Discovery techniques to enumerate potential targets for lateral movement.
To ensure persistence, the payload was designed to create scheduled tasks, leveraging the Windows Task Scheduler to facilitate re-infection. The analysis of the file paths indicated that the tasks were created in C:\Windows\Tasks\RyukTask, ensuring that they would be triggered on system boot. Additionally, the malware manipulated registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to maintain its presence even after reboots.
Command and Control
Our investigation revealed that the actor employed a multi-faceted approach to C2 communication. Initially, the malware communicated over DNS using base32 encoded messages, thereby blending with typical network traffic and reducing the likelihood of detection by standard security measures. This tactic falls under the Exfiltration Over Command and Control Channel (T1041) technique of the MITRE ATT&CK framework.
Following the establishment of this covert channel, the malware transitioned to HTTP requests for beaconing. The HTTP GET requests were sent to seemingly benign domains, employing randomized URIs to further obfuscate the malicious traffic. Our researchers noted that the responses from the C2 server contained additional payloads and configuration updates, indicating that the actor had a well-structured infrastructure for their operations.
Lateral Movement & Discovery
During our analysis, we observed significant lateral movement efforts using established Windows administration tools. The use of PsExec (T1569.002) was prominent; it allowed the actor to execute commands on remote systems without significant detection. In logs, we found evidence of WMI queries sent to systems across the internal network, targeting key databases and file shares crucial for data extraction.
Moreover, the malware also exfiltrated credentials using Credential Dumping (T1003) techniques. Utilizing lsass.exe process memory extraction, the implant succeeded in harvesting credentials which were then used to elevate privileges and gain access to sensitive internal resources. This comprehensive reconnaissance strategy enabled the actor to create a detailed map of the victim’s environment.
Impact & Objectives
The overarching goal of this series of attacks appeared to be data exfiltration and infrastructure compromise. Based on telemetry and logs, we concluded that the actor aimed to exfiltrate sensitive financial records and intellectual property related to proprietary banking technologies. The use of strong encryption on outbound data indicated a concerted effort to eliminate the chances of detection during data transfer.
Furthermore, our threat modeling suggested that the potential impact of this threat contained not only financial losses but also reputational damage, legal ramifications, and prolonged operational downtime, making it particularly dangerous for targeted organizations.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Utilizing legitimate web protocols (HTTP) for C2 communication.
- T1105 – Ingress Tool Transfer: Downloading additional payloads from remote locations.
- T1046 – Network Service Discovery: Enumeration of services on remote systems.
- T1070.001 – Indicator Removal on Host: File Deletion (Local): Attempts to remove traces of executed attacks.
Detection Opportunities
- Implement monitoring of DNS requests for anomalous patterns, especially those with non-typical domain resolutions.
- Utilize endpoint detection and response (EDR) tools to alert on unusual scheduled task creation or modifications in
C:\Windows\Tasks\. - Conduct regular audits and monitoring of the Windows registry, focusing on
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runfor unauthorized entries.
Analyst Notes
This sophisticated campaign exemplifies the necessity for robust security hygiene, particularly in the realms of threat detection and response. As we continue to analyze the evolving TTPs utilized by this APT actor, it is clear that organizations must invest in comprehensive training to ensure user awareness around phishing techniques and enhance their detection capabilities to mitigate similar threats in the future.
Source: Original Report