Priya Nair — Digital Forensics Analyst
Key Takeaways
- Custom phishing emails deliver a tailored malware dropper.
- Persistence achieved through registry modifications and scheduled tasks.
- Clear indicators of lateral movement through SMB exploitation.
Executive Summary
Our investigation of a recent sophisticated phishing campaign revealed a well-orchestrated attack leveraging custom malware designed to evade detection while achieving its objectives efficiently. The attack chain initiated with a crafted email containing a malicious link, leading to the download of a dropper that established persistent access to compromised hosts. Utilizing various techniques outlined in the MITRE ATT&CK framework, the threat actor exhibited a degree of sophistication in both lateral movement and command-and-control (C2) communications.
Initial Access
The attack began with an email campaign targeting company employees. The phishing email mimicked official communications, which contributed to its success in facilitating an initial infection vector. When the employee clicked the link, it led to a download of a malicious executable named dropper.exe, hosted on a compromised web server. An analysis of the URL structure revealed that the actor employed fast-flux DNS techniques to make detection more challenging.
Execution & Persistence
Once executed, dropper.exe performed a series of steps to ensure persistence. Our analysis revealed that it created a registry entry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malicious_app, allowing it to execute on system startup. Additionally, the dropper set up a scheduled task named MalwareScheduledTask using the schtasks command, ensuring that it could recover from restarts despite attempts to remove it.
Command and Control
The implant established communication with a C2 server using HTTP POST requests with encrypted payloads. During our investigation, we identified the IP address 192.0.2.123 as the primary C2 server, which used a series of dynamic subdomains to avoid IP blacklisting. Communication patterns included regular beacons every 5 minutes, allowing the threat actor to maintain a continuous presence within the compromised environment. Notably, the malware utilized a custom encryption algorithm, complicating analysis and detection efforts.
Lateral Movement & Discovery
Following initial access, we observed that the actor attempted lateral movement within the network using T1075 – Pass the Hash techniques. By leveraging extracted credentials stored in memory, the threat actor accessed shared resources across the network, targeting administrative shares on other workstations. Our forensic analysis further uncovered log entries indicating Remote Procedure Call (RPC) usage to enumerate active shares on remote systems, indicating a methodical approach to horizontal movement.
Impact & Objectives
The primary objective of this operation appeared to be data exfiltration, as the malware was configured to collect sensitive information, including credentials and key logs, before transmitting them back to the C2 server. The use of built-in Windows tools helped the actor maintain a low profile while executing their malicious agenda. Our investigation found exfiltrated files with a size of over 100MB, pointing to significant data compromise, including customer records and internal communications.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial access vector was a phishing email.
- T1059 – Command and Scripting Interpreter: The dropper executed PowerShell scripts to maintain persistence.
- T1075 – Pass the Hash: Used for lateral movement within the network.
- T1083 – File and Directory Discovery: Enumerated files to find sensitive information.
Detection Opportunities
- Monitor for unusual registry modifications at
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\for persistence techniques. - Analyze network traffic for connections to known C2 IP addresses and patterns consistent with beaconing.
- Implement endpoint detection solutions that can recognize the execution of dropper.exe or similar dropper signatures.
Analyst Notes
This incident underscores the necessity for strategic user training around phishing threats and heightened vigilance regarding unsolicited communications. Additionally, improving detection capabilities for lateral movement and C2 activities will be crucial in mitigating future incidents of this nature.
Source: Original Report