Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- The attack leverages sophisticated phishing emails to deliver payloads exploiting common user behaviors.
- The primary tool utilized by the threat actor is Cobalt Strike, a legitimate penetration testing tool often abused by attackers.
- Command and Control (C2) infrastructure employs domain fronting techniques to evade detection.
Executive Summary
During our investigation into a recent phishing campaign, we observed a threat actor utilizing Cobalt Strike as their primary deployment method. The attack targeted multiple organizations across various sectors, showcasing the actor’s ability to leverage social engineering tactics effectively. Our analysis revealed that the initial access vector stemmed from cleverly crafted phishing emails, leading to the execution of a malicious payload in the form of a PowerShell script that ultimately deployed a Cobalt Strike beacon. This post will delve into the intricacies of the attack lifecycle, from the initial access to the payload’s command and control capabilities.
Initial Access
The campaign predominantly leveraged phishing emails that contained links to malicious sites mimicking reputable services. We examined several samples of these emails and discovered they frequently employed urgency as a social engineering tactic, enticing users to click on provided links. One particular email asset invited users to verify their account, linking them to an obfuscated landing page that hosted the malicious payload. The final payload, once executed, utilized MS Office VBA macros to execute a PowerShell command that downloaded and executed the Cobalt Strike beacon from an external URL.
Execution & Persistence
After the initial compromise, our analysis revealed that the actor employed various techniques to ensure persistence. The sample we examined modified the Windows registry, specifically the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to establish a persistent execution state for the malicious payload across reboots. This technique, categorized under T1547.001 – Boot or Logon Autostart Execution: Registry Run Key, allows for the implant to maintain its presence within the victim’s environment. Furthermore, we observed that it leveraged the Scheduled Tasks functionality to reinitiate the beacon if it were terminated, indicating a careful consideration of self-defense mechanisms.
Command and Control
Our investigation into the Command and Control (C2) infrastructure revealed that the actor utilized domain fronting techniques to conceal their communication channels. The beacon itself communicated on port 443 over HTTPS, employing a set of commands designed to fetch additional payloads and execute tasks within the compromised environment. Notably, we identified that the beacon utilized the HTTP/S protocol to establish a persistent connection with the command server, implementing T1071.001 – Application Layer Protocol: Web Protocols. This choice of communication not only obfuscated the actual nature of the traffic but also complicated detection efforts by standard network security appliances.
Lateral Movement & Discovery
As part of the actor’s operational objective, lateral movement was observed utilizing legitimate administrative tools. We recorded instances of the Windows Management Instrumentation (WMI) and PSExec for this purpose, analyzed under the respective techniques T1021.001 – Remote Services: Windows Admin Shares and T1047 – Windows Management Instrumentation. This methodology allowed the actor to navigate across the network efficiently, targeting additional hosts and extracting sensitive data. Additionally, the implementation of PowerShell scripts for reconnaissance tasks was proliferated throughout the environment, enabling the actor to map the network and assess further access points.
Impact & Objectives
The overarching objective of the threat actor was data exfiltration coupled with the potential for lateral movement to critical assets. During our investigation, we unearthed evidence suggesting attempts to access sensitive directories containing confidential information, such as financial records and system credentials. The timing of external communications seemed strategically aligned with events in the organization’s business cycle—indicative of reconnaissance to maximize impact. Furthermore, the capability to deploy ransomware after establishing a foothold could add a secondary layer of objective for the actor.
MITRE ATT&CK Mapping
- T1566.001 – Phishing: Spear Phishing Link: The use of phishing emails with malicious links.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Deployment of PowerShell scripts for payload delivery and execution.
- T1547.001 – Boot or Logon Autostart Execution: Registry Run Key: Registry modifications for persistence.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communication via HTTPS.
- T1021.001 – Remote Services: Windows Admin Shares: Lateral movement using built-in administrative tools.
- T1047 – Windows Management Instrumentation: Utilizing WMI to facilitate lateral movement and query information.
Detection Opportunities
- Monitor for unusual or unauthorized modifications within
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Implement filters to detect known Cobalt Strike communication patterns on port 443, focusing on traffic anomalies.
- Establish alerting mechanisms for any use of PowerShell scripts that attempt to download external executables.
Analyst Notes
Ongoing observation of similar attacks within this landscape is crucial for timely detection and response. Strengthening user awareness training regarding phishing attempts may significantly reduce initial access vectors. Additionally, organizations should enforce strict network segmentation and monitor remote services to limit lateral movement capabilities.
Source: Original Report