Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- The attack commenced with a sophisticated vishing scheme aiming to extract credentials.
- Malware payloads utilized include variants of Remcos RAT, illustrating the flexibility of remote access techniques.
- Post-exploitation activities indicate lateral movement patterns consistent with T1075 – Pass the Hash and T1021.002 – Remote Services: RDP.
Executive Summary
During our analysis of a recent vishing attack incident, we observed a multi-faceted approach that began with social engineering tactics followed by deployment of Remcos, a well-known Remote Access Trojan (RAT). This attack, targeting employees at prominent financial institutions, aimed to not only gain initial access via credential harvesting but also maintain persistence and lateral movement within the network. Our investigation revealed a clear progression through various stages of the attack lifecycle, employing both human and automated tactics.
Initial Access
The initial access vector for this incident was an effective vishing campaign. Attackers posed as tech support and contacted potential victims directly, steering them toward a phishing link purportedly leading to a legitimate password reset page. Upon entering their credentials, the victims unknowingly provided the actors with valid credentials. This tactic aligns with the T1071.001 – Application Layer Protocol: Web Protocols technique, as attackers used web-based frameworks to facilitate access. Examining the domain used in the phishing URL (identified as login-secure.example.com), we found it cleverly crafted to mimic a trustworthy website.
Execution & Persistence
Post credential theft, the attack transitioned to executing the Remcos payload, delivered through an obfuscated PowerShell script. During our analysis, we noted that the script made calls to various cmd.exe commands to download and execute the RAT from a remote server. The malware was executed with administrator privileges, enabling it to establish persistent backdoor access through the use of a scheduled task set to trigger hourly, utilizing the schtasks command.
The patterns observed in our analysis reflected an adherence to the T1053.005 – Scheduled Task/Job: Scheduled Task technique, which provides the actors with resilience against potential detection. Furthermore, specific registry alterations were made to maintain persistence, including changes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the addition of entries pointing to the Remcos service.
Command and Control
Investigating the C2 infrastructure revealed a dynamic pattern typical of well-resourced threat actors. The Remcos implant initiated communication with a set of hardcoded IP addresses that transitioned through several domains to avoid detection. Traffic analysis indicated the use of T1071.001 – Application Layer Protocol: Web Protocols, specifically employing HTTPS for encrypted communication.
Moreover, we noted that heartbeat signals were sent to the C2 every 30 seconds post-infection, confirming the implant’s active presence within the network. Based on this, we recommend monitoring network traffic for anomalies in outgoing requests, particularly to known malicious IPs and suspicious domain names.
Lateral Movement & Discovery
After establishing persistence and creating a solid foothold, the attacker leveraged various lateral movement techniques. Our analysis revealed utilization of the T1075 – Pass the Hash technique paired with T1021.002 – Remote Services: RDP. The actors utilized stolen credentials to access additional systems on the network, effectively broadening their reach and increasing the attack’s impact.
Moreover, lateral movement commands within the implant logs indicated access to administrative shares such as \ADMIN$ and \C$, where additional reconnaissance for sensitive information occurred. Subsequent tasks included scanning for available network resources and attempted escalation of privileges.
Impact & Objectives
The overarching objective appeared to be exfiltration of sensitive data, including personal identifiable information (PII) and financial records. During the investigation, we identified files being transferred via the implant to the C2 server, which suggested the attackers aimed to monetize this data further. Given the industry focus on financial institutions, we should consider the possibility of further acts of fraud or identity theft following this breach.
MITRE ATT&CK Mapping
- T1071.001 – Application Layer Protocol: Web Protocols: Use of web protocols for C2 communication with the implant.
- T1053.005 – Scheduled Task/Job: Scheduled Task: Creating tasks for persistence and execution of the malware payload.
- T1075 – Pass the Hash: Exploiting hashed credentials for lateral movement.
- T1021.002 – Remote Services: RDP: Utilizing RDP for accessing other systems within the network.
Detection Opportunities
- Monitor for unusual outbound connections to domains associated with known phishing campaigns.
- Establish alerts for scheduled task creation that does not follow standard operational procedures.
- Investigate hash abnormalities against user credentials in authentication logs to identify potential pass-the-hash activities.
Analyst Notes
This incident underscores the efficacy of social engineering tactics, combined with robust persistence and lateral movement strategies employed by sophisticated threat actors. The ability to pivot across a network post-exploitation highlights the necessity for organizations to enhance their security posture and implement rigorous monitoring practices, especially with phishing as a primary vector. Continued education is paramount for employees to mitigate these risks at the initial access stage.
Source: Original Report