This campaign involved the use of PowerShell, secured C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
Spear Phishing Attack
Experts say ‘SpearPhishing’ was the primary means of initial compromise. Also, the attacks targeted at least two high-profile military contractor companies.
‘Spear phishing’ is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
To avoid detection, the shortcut file attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe, and it relies on the unusual “C:WindowsSystem32ForFiles.exe” command to execute commands.
The obfuscation techniques include reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.
Researchers say the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.
If the check fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.
Subsequently, if all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for “.lnk,” “.rar,” and “.exe” files and also for directories critical for the function of the malware.
“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis,” Securonix
“Our attempts to decode the payload would only produce garbage data.”
Domains Used In Various Portions of the Attack Chain:
Therefore, this attack was sophisticated with the malicious threat actor paying specific attention to opsec. Researchers say in this case, ‘Persistence’ is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.