Subject: Engage Report: Double-Tap Campaign – Espionage in Central Asia
Tactics: TA0005 Defense Evasion, TA0003 Persistence
Technique: T1053 Scheduled Task/Job
Procedure:
- A malicious macro in the initial Word document creates a second blank document and weaponizes it with another malicious macro.
- The second macro creates a scheduled task named “SettingsService Dispatch” using
RegisterTaskDefinition. - This task executes an HTA file containing the HATVIBE backdoor every four minutes using
mshta.exe.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Engagement Opportunity:
- Educate users about the risks of opening suspicious email attachments and enabling macros in Office documents.
- Implement strict email filtering rules to block or quarantine suspicious attachments.
- Deploy endpoint detection and response (EDR) solutions to monitor for malicious activity and automatically remediate threats.
Threat Actor: UAC-0063 (possibly related to APT28)
Threat Objective:
Gather strategic and economic intelligence on Central Asian countries, particularly Kazakhstan’s relations with other countries.
Deception Opportunity:
- Create decoy diplomatic documents or correspondence with fabricated information to mislead attackers and track their activity.
- Deploy honeypot systems mimicking government institutions or diplomatic entities to attract attackers and gather intelligence on their TTPs.
Sensor Data Placement: Kernel-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
Detecting the registry key modification for persistent macro execution requires monitoring kernel-level events and identifying specific behaviors core to the technique, such as modifying the HKCUSoftwareMicrosoftOffice[VERSION]WordSecurityAccessVBOM key.
Link to Report:
Link to Report II.:
Additional Comments:
The Double-Tap campaign highlights the continued use of sophisticated techniques by APT groups to compromise high-value targets and evade detection.
Possible elements: Deceptive Document Watermarks, Honeyfile Documents
MSG (Pseudocode):
T1053 - Scheduled Task/Job
Implementations
Double-Tap Macro Technique
RegisterTaskDefinition Usage
mshta.exe Execution
Periodic Backdoor Execution
Observables
Registry Key Modification
Level 5: Core to Sub-Technique or Technique
Scoring Rationale: The modification of the AccessVBOM registry key is a crucial step in enabling persistent macro execution without user interaction, making it a highly robust indicator of this specific implementation of the Scheduled Task/Job technique.
Scheduled Task Creation
Level 4: Core to Some Implementations of (Sub-)Technique
Scoring Rationale: While the creation of a scheduled task is a common method for achieving persistence, it is not universally employed in all instances of the Scheduled Task/Job technique. However, in the context of the Double-Tap campaign, it is central to the attacker's strategy for maintaining access.
mshta.exe Execution
Level 3: Core to Pre-Existing Tool or Inside Boundary
Scoring Rationale: The execution of mshta.exe, a legitimate Windows binary, is not inherently malicious. However, its use in conjunction with a scheduled task and a malicious HTA payload makes it a valuable indicator of compromise.
Network Connections
Level 2: Core to Adversary-Brought Tool or Outside Boundary
Scoring Rationale: Monitoring network connections initiated by mshta.exe can help identify communication with the attacker's C2 server. However, this observable is dependent on the attacker's infrastructure and may be obfuscated or proxied.
Notes
* Defenders should focus on monitoring registry key modifications, scheduled task creation, and suspicious process execution, particularly involving mshta.exe.
* Deception opportunities can be created by planting decoy documents and deploying honeypots to lure attackers and gather intelligence on their activities.