Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The vishing campaign utilizes social engineering tactics to obtain sensitive information.
- Malware used in the later stages leverages persistence mechanisms through legitimate software.
- Communication with C2 servers is implemented via encrypted channels, making detection challenging.
Executive Summary
During our investigation into a recent vishing attack orchestrated against several financial institutions, we observed a multifaceted approach combining social engineering, malware deployment, and structured exfiltration processes. By analyzing the collected samples and communication patterns, our analysis revealed critical insights into the attacker’s methodologies, highlighting an impressive degree of sophistication typical of advanced threat actors.
Initial Access
The attack commenced with a series of vishing calls aimed at bank employees, wherein the actor impersonated IT support personnel. Utilizing persuasive social engineering techniques, the attacker convinced the targets to share their authentication credentials under the pretext of a mandatory system upgrade. Our analysis of phone numbers used during these interactions revealed a commonality linked to a known threat group, providing a significant lead in our investigation.
Execution & Persistence
Once inside the network, the actor deployed a custom-tailored dropper, which was subsequently found at C:\ProgramData\Adobe\UpdateService.exe. This dropper operated under the guise of a legitimate Adobe Service, employing a combination of system scheduling and Windows services to ensure persistent access. The sample we examined contained self-modifying code designed to evade common signature-based detections, alongside a variety of obfuscation techniques.
Command and Control
The C2 communication we observed was executed through HTTPS traffic directed towards a seemingly innocuous domain, which was found to host multiple subdomains for the covert transmission of stolen data. The payload communicated via encrypted channels, employing an HTTP POST method to send sensitive information, including user credentials and system details. The use of such encryption schemes significantly complicated our ability to intercept communications without advanced decryption capabilities.
Lateral Movement & Discovery
During the investigation, we identified explicit signs of lateral movement through the use of Mimikatz for credential harvesting. The actor utilized valid credentials obtained from the initial compromise to navigate to shared drives, targeting sensitive data stored in directories such as \SHARE\Finance\. The techniques applied in these maneuvers closely matched those outlined under T1075 – Pass the Ticket in the MITRE ATT&CK framework, demonstrating a well-thought-out strategy aimed at expanding their foothold within the network.
Impact & Objectives
The primary objective of this operation appeared to be the exfiltration of personal identifiable information (PII) and financial data. The data harvested from compromised systems could be misused for fraudulent transactions, identity theft, or sold on illicit dark web marketplaces. Furthermore, our analysis indicated that the extent of access reached several administrative accounts, significantly amplifying the potential damage the actor could inflict on the institution’s infrastructure.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Utilized for C2 communication via HTTPS.
- T1075 – Pass the Ticket: Used to move laterally through the network after credential theft.
- T1059.001 – Command and Scripting Interpreter: Windows Command Shell: Used for executing scripts to facilitate post-exploitation tasks.
Detection Opportunities
- Monitoring for unusual outbound HTTPS requests, especially to unusual domains or subdomains.
- Implementing behavioral analysis to identify anomalies associated with scheduled tasks and service creation.
- Employing logging and alerting for the use of sensitive tools like Mimikatz within the environment.
Analyst Notes
This investigation underscores the importance of employee training in identifying phishing attempts and vishing scams. Moreover, institutions must reassess their vulnerability to social engineering attacks, particularly how easily authentication details can be gleaned from unwitting employees. Continuous endpoint monitoring and robust segmentation of sensitive data repositories are vital to mitigate risks associated with credential theft and lateral movement.
Source: Original Report