Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The campaign utilized a multi-stage payload delivery, embedding the initial dropper within a legitimate software installer.
- Our analysis identified command and control communication patterns indicating a possible infrastructure reuse by previously observed threat actors.
- Key tactics involved include lateral movement through the exploitation of the SMB protocol and credential dumping techniques.
Executive Summary
During our investigation of the ‘ShadowDropper’ malware campaign, we uncovered a sophisticated attack chain leveraging a multi-stage approach for initial access and persistence. The actor behind this campaign demonstrated notable expertise, combining social engineering and technical exploitation to compromise target networks. Our analysis revealed the thoroughness of the payload design and C2 communication strategy, which were critical in maintaining a foothold within the victim environment.
Initial Access
Initial access in the observed cases was achieved through phishing emails that delivered seemingly benign attachments. The attachment, a legitimate-looking installer, would execute a dropper known as ShadowDropper. This dropper is designed to masquerade as a well-known application while embedding malicious scripts that trigger the download of secondary payloads. Ultimately, these secondary components would facilitate remote access to compromised systems.
Execution & Persistence
Upon execution, the dropper performed several tasks. It created the primary binary file at C:\Program Files\LegitApp\legitapp.exe, which contained obfuscated code to evade detection by conventional security solutions. Furthermore, the actor implemented persistence by adding a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LegitApp. This ensured that the malicious executable would run each time the user logged in, reinforcing their foothold within the environment.
Command and Control
Command and control (C2) communications were established using a combination of HTTPS and DNS tunneling techniques, allowing for encrypted traffic that hid the gestures of data exfiltration. We noted that the malware attempted to communicate with a specific domain identified as shadowc2.com, which included multiple subdomains that dynamically changed, likely to evade detection. The C2 also used custom-built protocols to exchange data, making it complex to correlate with standard malware indicators.
Lateral Movement & Discovery
Exploiting the SMB (Server Message Block) protocol, the actor attempted lateral movement across the network. After establishing a connection to critical servers, they leveraged tools such as mimikatz to dump credentials stored in memory. This access enabled them to identify other valuable systems within the environment for further exploitation. Additionally, our investigation revealed attempts to map the network using NetView calls, which allowed for a clearer landscape of potential targets.
Impact & Objectives
The overarching objective of the campaign was to establish an operational base from which sensitive data could be exfiltrated and subsequently sold or leveraged for further attacks. Notable data segments targeted included client databases and internal communications, highlighting the actor’s intention to create long-term operational impacts. The ability to adapt their methods during the campaign indicated a high level of sophistication and a clear understanding of operational security.
MITRE ATT&CK Mapping
- T1193 – Phishing: The initial access vector through crafted emails.
- T1059.001 – PowerShell: Execution of scripts via embedded PowerShell commands in the dropper.
- T1079 – Credential Dumping: Utilizing mimikatz to acquire credentials.
- T1021.001 – Remote Services: RDP: Possible lateral movement leveraging RDP after obtaining credentials.
Detection Opportunities
- Implement monitoring on SMTP logs for known malicious attachment patterns and campaigns.
- Employ heuristics to identify unusual registry modifications, particularly under Windows startup routines.
- Establish behavioral analysis to detect anomalous SMB traffic, especially around credential usage and lateral movement patterns.
Analyst Notes
Continuous vigilance is recommended, particularly in environments with high-value assets. Given the adaptive nature of the threat actor, organizations should prioritize incident response preparedness and remediation strategies while ensuring anomaly detection systems are well-tuned to identify early signs of compromise.
Source: Original Report