The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.
Tag: T1059.003
Engage Report: Head Mare Group’s PhantomCore Campaign
The Head Mare group distributes malicious ZIP archives, likely through spam emails disguised as invoices or financial documents, to deceive recipients into executing the malicious payload.
Unveiling RevC2 and Venom Loader
- Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
- Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
- Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
- Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
- Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
- Collection: RevC2 steals cookies, passwords, and takes screenshots.
- Exfiltration: Stolen data is exfiltrated over the C2 channel.
RomCom – Firefox and Windows Exec Duo
T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.
T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.
T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.
T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.
T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.
T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
DONOT Hunt Me
A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.
DONOT APT Attack
- The attacker sends a spearphishing email containing a malicious Office document that exploits the vulnerability CVE-2017-11882.
- Upon opening the document, the exploit triggers, allowing the attacker to execute a command that launches the next stage of the attack.
- A scheduled task named “Schedule” is created to execute a malicious DLL file via
rundll32.exeevery 5 minutes, ensuring persistence. - The scheduled task establishes communication with the attacker’s command-and-control (C2) server using the HTTP protocol.
- The attacker sends commands and exfiltrates data over the established C2 channel.
Ursnif Trojan – Stealthy Memory Execution
T1566.001 – Attackers send emails containing a malicious LNK file disguised as a PDF document, likely targeting business professionals in the United States.
T1140 – The LNK file uses certutil.exe to decode a Base64-encoded payload.
T1562.004 – The malware uses PowerShell commands to disable Windows Defender.
T1059.003 – The decoded payload is executed using cmd.exe, leading to the execution of the Ursnif banking Trojan.
T1071.001 – The malware establishes communication with a command-and-control (C2) server using web protocols, likely HTTP or HTTPS.
T1041 – The malware exfiltrates stolen sensitive information, such as banking credentials and personal data, to the C2 server.
DONOT APT’s Attack on Maritime & Defense Manufacturing
- Technique: Spearphishing Attachment (T1566.001)
- Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
- Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
- Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
- Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
- Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via
rundll32.exeevery 5 minutes. This ensures the malware’s persistence on the compromised system.
- Technique: Application Layer Protocol: HTTP (T1071.001)
- Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
- Technique: Exfiltration Over C2 Channel (T1041)
- Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.