DONOT APT Attack

  1. The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
  2. Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
  3. A scheduled task named “Schedule” is created to execute a malicious DLL file via rundll32.exe every 5 minutes, ensuring persistence.
  4. The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
  5. The attacker sends commands and exfiltrates data over the established C2 channel.

Subject: DONOT APT Attack

Tactics: TA0011 Command and Control, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1041 Exfiltration Over C2 Channel, T1566.001 Phishing: Spearphishing Attachment, T1053.005 Scheduled Task/Job: Scheduled Task

Procedure:

  1. The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
  2. Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
  3. A scheduled task named “Schedule” is created to execute a malicious DLL file via rundll32.exe every 5 minutes, ensuring persistence.
  4. The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
  5. The attacker sends commands and exfiltrates data over the established C2 channel.

Vulnerability: EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

  • Honeypot (E0030): Set up a decoy machine or network segment that mimics the target environment to attract the attacker and engage with them. This can help gather intelligence on their tools, techniques, and procedures (TTPs) and potentially disrupt their operations.
  • Network Monitoring (D0025): Implement robust network monitoring tools and techniques to detect suspicious network connections and communications with known C2 servers. This can include intrusion detection systems (IDS), network traffic analysis (NTA), and security information and event management (SIEM) solutions.
  • Endpoint Detection and Response (EDR) (D0015): Deploy EDR solutions on endpoints to monitor for malicious processes, scheduled tasks, and other suspicious activities. EDR solutions can provide real-time visibility into endpoint activity and enable rapid response to threats.

Threat Actor: DONOT APT (example)

Threat Objective:

Data exfiltration, command execution, potential lateral movement

Deception Opportunity:

  • Decoy Data (D0005): Plant fake sensitive data within the target environment to lure the attacker and deceive them into exfiltrating false information. This can waste their time and resources, and potentially expose their TTPs.
  • False C2 Server (D0010): Create a fake C2 server that mimics the real one to intercept attacker communications and gather intelligence on their activities. This can help understand their objectives, infrastructure, and potentially identify other victims.

Sensor Data Placement: Application

Observable Level: Ephemeral Values

Scoring Rationale:

  • Sensor Data Placement:
    • Application (email client, Office application)
    • User-Mode (process execution, scheduled tasks)
    • Kernel-Mode (network connections)
  • Observable Level:
    • Ephemeral Values (specific command-line arguments)
    • Core to Adversary-Brought Tool (the malicious Office document, the scheduled task name)
    • Core to Pre-Existing Tool (rundll32.exe execution)
    • Core to Some Implementations of (Sub-)Technique (HTTP for C2)
    • Core to Sub-Technique or Technique (data exfiltration over C2)
  • Scoring Rationale: The scoring reflects the combination of data sources and the varying levels of observable modification difficulty. Some observables are specific to the attacker’s tools, while others are more fundamental to the techniques themselves, providing a range of detection opportunities.

Link to Report:

Link to Report II.:

Additional Comments:

The attack chain highlights the importance of a multi-layered defense strategy that combines user awareness training, system monitoring, network monitoring, and deception techniques to effectively counter sophisticated threats like DONOT APT.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: DONOT APT Attack Graph

[1]: Initial Access (TA0001) - Spearphishing Attachment (T1566) - Email with malicious Office document exploiting CVE-2017-11882 (Core to Adversary-Brought Tool)
[2]: Execution (TA0002) - Command and Scripting Interpreter: Windows Command Shell (T1059.003) - Execute command to launch next stage (Core to Pre-Existing Tool)
[3]: Persistence (TA0003) - Scheduled Task/Job: Scheduled Task (T1053.005) - Create scheduled task "Schedule" to execute DLL via rundll32.exe every 5 minutes (Core to Some Implementations of (Sub-)Technique)
[4]: Command and Control (TA0011) - Application Layer Protocol: HTTP (T1071.001) - Communicate with C2 server using HTTP (Core to Adversary-Brought Tool)
[5]: Exfiltration (TA0010) - Exfiltration Over C2 Channel (T1041) - Exfiltrate data over HTTP C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of System Monitoring)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: DONOT APT Pseudocode

function Initial_Access_Spearphishing_Attachment(target_email):
# Craft spearphishing email with malicious Office document exploiting CVE-2017-11882
# Send email to target_email
return execution_payload

function Execution_Command_and_Scripting_Interpreter(execution_payload):
# Execute Windows command to launch next stage
return persistence_payload

function Persistence_Scheduled_Task(persistence_payload):
# Create scheduled task "Schedule" to execute DLL via rundll32.exe every 5 minutes
return C2_communication_module

function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Establish HTTP connection with C2 server
# Receive commands and exfiltrate data
return exfiltrated_data

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Send exfiltrated_data to C2 server over HTTP
return success

Leave a Reply