Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- Malware utilized a multi-stage attack incorporating remote access and data exfiltration techniques.
- Initial access was achieved via a phishing campaign targeting financial institutions, leveraging crafted emails.
- Indicators of compromise included specific IP addresses, file hashes, and registry modifications that were key to detection efforts.
Executive Summary
During our investigation of a recent malware campaign affecting several financial institutions, we observed a sophisticated attack chain characterized by multiple stages from initial access to persistent control over compromised networks. The attackers deployed a range of tools and techniques leading to the successful exfiltration of sensitive data. Our detailed analysis showcases how these stages unfolded, revealing the methodologies and technology utilized by the threat actor in their operations.
Initial Access
Our analysis revealed that the attackers initiated their efforts through a targeted phishing campaign. Malicious emails were crafted with high levels of social engineering, enticing recipients to click on links leading to a compromised domain. By utilizing maldoc attachments labeled as legitimate invoices, the actors executed their code upon opening the document. This document ultimately led to the execution of a payload that downloaded additional tools to the victim’s system.
Execution & Persistence
Upon successful execution of the initial stage, the malware we examined deployed a remote access tool (RAT)—specifically, a variant of Agent Tesla. This implant was coded to create a persistence mechanism using HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key modifications. This manipulation ensured that the malware was executed at every system startup, thus maintaining the attacker’s foothold in the victim’s environment.
Command and Control
The command and control (C2) infrastructure relied heavily on a decentralized network of onion routers, which hid the true origin of the communication. During our investigation, we tracked several HTTP/S beacons that exhibited unusual patterns of communication with the identified C2 servers. The observed HTTP requests often masqueraded as benign browsing activity to evade detection mechanisms, using URI paths similar to legitimate site structures. This careful obfuscation allowed the actor to continuously refine their access and maintain a stable connection to the compromised systems.
Lateral Movement & Discovery
As the threat actor established their presence, we noted their utilization of Windows Admin Shares to conduct lateral movement within the network. This involved exploiting legitimate administrative tools such as Powershell and PsExec to propagate the malware to neighboring systems. During our analysis, we found artifacts that indicated the use of net use commands to establish connections to other machines, showcasing an effective discovery phase where they searched for additional credentials and resources using tools like Mimikatz.
Impact & Objectives
The primary objective appeared to be the exfiltration of sensitive client data, including financial records and personal identifiable information (PII). Our investigation revealed that the malware was configured to harvest this data periodically and send it back to the C2 server in encrypted formats to maintain confidentiality and integrity during transport. Subsequently, large volumes of data packets visible in the traffic analysis indicated that substantial information had been siphoned off, which posed a series of compliance and reputational risks to the affected organizations.
MITRE ATT&CK Mapping
- T1059.001 – Command and Scripting Interpreter: PowerShell: Leveraged for lateral movement through administrative tasks.
- T1046 – Network Service Scanning: Conducted to identify internal services available for exploitation.
- T1071.001 – Application Layer Protocol: Web Protocols: Used for establishing C2 communications.
Detection Opportunities
- Monitor for Office Macro execution events and scrutinize anomalies related to document actions in the environment.
- Implement alerting on changes to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runregistry key. - Analyze outbound traffic for patterns that correlate with known C2 communication techniques and indicators of compromise.
Analyst Notes
This case highlights the importance of robust email filtering and employee training on phishing detection. Additionally, organizations should prioritize endpoint detection and response (EDR) solutions capable of identifying unusual behavior associated with lateral movement and persistence mechanisms. Our analysis emphasizes the need for situational awareness and proactive monitoring to mitigate risks associated with such advanced persistent threats.
Source: Original Report