Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The malware leveraged phishing emails as the initial attack vector, embedding macros within Office documents.
- Persistence mechanisms included registry modifications and scheduled tasks to ensure longevity.
- The use of dynamic DNS for command and control showcased the actor’s operational security during the attack.
Executive Summary
This post details our analysis of a recent malware campaign attributed to a well-known cyber threat actor. We observed distinct behavior consistent with previous campaigns, particularly focusing on the TTPs employed throughout the lifecycle of the malware. The actor utilized multiple techniques to achieve persistence, leverage command and control (C2), and ultimately conduct lateral movement within the victim environment. Our investigative team tracked the flow from initial access through to the intended impact, providing valuable insights into detection and mitigation strategies.
Initial Access
During the investigation, we identified that the attack was initiated through carefully crafted phishing emails containing malicious attachments. These emails, which masqueraded as invoices, included a Microsoft Word document that prompted the user to enable macros to view the content. Once macros were enabled, the payload – a variant of the Emotet malware – was downloaded from a remote server under the actor’s control. This initial compromise provided a foothold into the target network, marking the beginning of the adversary’s operations.
Execution & Persistence
Upon execution, the malware deployed several techniques to establish persistence. Our analysis revealed that it modified the Windows registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, creating a new entry that executed the malware on startup. In addition, the threat actor set up a scheduled task that enhanced persistence, enabling the malware to execute at regular intervals regardless of system reboots. The presence of these modifications indicates a clear intent on maintaining a long-term presence within the victim’s environment.
Command and Control
The command and control mechanism used by the malware employed a dynamic DNS service, allowing the actor to rotate C2 addresses frequently. We monitored network traffic and discovered the malware was reaching out to a domain that changed every few hours. This technique not only obscured the C2 infrastructure but also reinforced the actor’s operational security, making it challenging for defenders to block communications. The use of HTTP/S for beaconing added another layer of stealth, as the traffic could easily blend in with legitimate web activity.
Lateral Movement & Discovery
With initial access and persistence established, the malware transitioned into lateral movement within the network. Our investigation highlighted the use of credential dumping techniques utilizing Mimikatz, which allowed the actor to extract password hashes from memory. This capability facilitated further access to other systems within the domain. The malware sought to map the network, employing tools like Psexec for remote execution of binaries and spreading across machines. This TTP is emblematic of advanced persistent threats (APTs) that aim to escalate privileges and deepen their infiltration.
Impact & Objectives
The primary objective of this campaign was data exfiltration, with the actor particularly interested in sensitive financial data and personally identifiable information (PII). During our analysis, we identified multiple instances of compressed archives being created and uploaded to external servers. The choice of data exfiltration also reflects the financial motives behind the campaign, as such data is typically valuable on the dark web. The timeline of the activity suggested an imminent ransom demand, common for malware of this nature.
MITRE ATT&CK Mapping
- T1566 – Phishing: The actor utilized email-based phishing to deliver the initial payload.
- T1035 – Service Execution: The implant executed established persistence through registry modifications and scheduled task setups.
- T1071 – Application Layer Protocol: The malware leveraged HTTP/S for command and control communications.
- T1003 – Credential Dumping: The malware used techniques like Mimikatz to extract credentials from memory.
Detection Opportunities
- Deploy email filters that specifically target the characteristics of phishing emails, focusing on macros within Office documents.
- Monitor registry changes in real-time, specifically looking for unauthorized entries under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Utilize DNS query logs to detect requests to known malicious dynamic DNS domains associated with the malware’s C2 infrastructure.
Analyst Notes
This incident underscores the necessity for organizations to bolster their email security posture and user education around phishing. Ongoing monitoring of registry changes and network traffic can provide critical insights into potential compromise. Engaging in regular drills and simulations can also enhance incident response capabilities, preparing teams to handle sophisticated attack vectors like those demonstrated in this campaign.
Source: Original Report