- The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
- Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
- A scheduled task named “Schedule” is created to execute a malicious DLL file via
rundll32.exeevery 5 minutes, ensuring persistence. - The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
- The attacker sends commands and exfiltrates data over the established C2 channel.
Tag: T1041
Ursnif Trojan – Stealthy Memory Execution
T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.
T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.
T1562.004 – The malware uses PowerShell commands to disable Windows Defender.
T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.
T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.
T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.
COLDRIVER – SPICA malware
APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.
COLDRIVER – UNC4057, Star Blizzard and Callisto
The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.
The Bear and the Shell
T1566.001 – Procedure: The adversary sent spearphishing emails to individuals and organizations critical of the Russian government, using lures such as NASA job offers and articles from independent Russian media outlets. The emails contained malicious ZIP files with LNK files disguised as PDFs. When opened, these executed a PowerShell script to install a reverse shell.
T1059.001 – Procedure: The LNK file, when opened, executes a PowerShell script that decodes and executes a Base64-encoded command. This command downloads and installs the HTTP-Shell, a multiplatform reverse shell.
T1036 – Procedure: The adversary used a NASA-themed lure and designed the command-and-control server to resemble a legitimate PDF editing site to avoid detection.
T1071.001 – Procedure: The HTTP-Shell uses web protocols (HTTP) to communicate with the command-and-control server, enabling the adversary to send commands and receive data.
T1041 – Procedure: The HTTP-Shell allows the adversary to upload and download files, likely facilitating the exfiltration of data from the victim’s machine over the established command-and-control channel.
Campaign against Russian Opposition
The attacker may use phishing emails with malicious attachments to deliver and execute a malicious tool, such as a reverse shell, on the victim’s machine. The tool will likely use web protocols to communicate with the attacker’s C2 server.
Phishing by Design – Two-Step Attacks Using Microsoft Visio Files
- Initial Access: Attackers compromise a legitimate email account and send phishing emails containing a malicious URL, either directly in the email body or within an attached .eml file. The email often impersonates a trusted entity and may include branding to appear legitimate. The URL leads to a compromised SharePoint page hosting a weaponized Visio (.vsdx) file.
- Execution: The Visio file contains a malicious URL hidden behind a clickable element, such as a “View Document” button. Victims are instructed to hold down the Ctrl key while clicking the element to access the URL, a technique designed to evade automated security scanners. This URL redirects the victim to a fake Microsoft login page designed to steal credentials.
- Persistence (Implied): Although not explicitly mentioned in the document, attackers likely leverage the stolen credentials for persistent access to the victim’s environment. This may involve establishing backdoors, creating new accounts, or modifying existing ones.
- Command and Control: After gaining access, attackers likely establish a command-and-control (C2) channel using application layer protocols like HTTP to communicate with the compromised system, issue commands, and manage the attack.
- Exfiltration: Attackers exfiltrate sensitive data from the victim’s environment over the established C2 channel.
DONOT APT’s Attack on Maritime & Defense Manufacturing
- Technique: Spearphishing Attachment (T1566.001)
- Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
- Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
- Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
- Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
- Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via
rundll32.exeevery 5 minutes. This ensures the malware’s persistence on the compromised system.
- Technique: Application Layer Protocol: HTTP (T1071.001)
- Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
- Technique: Exfiltration Over C2 Channel (T1041)
- Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.