Incident Analysis Practical Report: Phishing Attack Leading to Malware Deployment and Lateral Movement

2025-02-15

Initial Access – Phishing Attack

The attacker crafted a phishing email posing as a job applicant and sent it to an IT employee. The employee unknowingly clicked on a malicious link, leading to the download of a file that appeared to be a CV but was, in reality, a compressed archive containing a harmful shortcut file.

Tactic: Social Engineering

Techniques Used:

• Fake job application email
• Malicious link to an external resource
• Archive containing an LNK (shortcut) file

Execution – Malware Deployment

Once the shortcut file was executed, it retrieved additional malicious components from an external server. The malware used a legitimate but compromised configuration file to initiate further infection.

Techniques Used:

• Execution of a disguised shortcut file
• Downloading additional payloads from a remote server
• Use of a malicious Component Object Model (COM) script

Indicators of Compromise (IoCs):

• Suspicious IP address associated with the malware’s download activity
• COM script responsible for fetching the main payload
• Dropped DLL file that contributed to persistence

Persistence & Command & Control (C2)

To maintain persistence, the attacker created a scheduled task to execute their payload at regular intervals. A trusted Windows binary was abused to execute an encrypted payload that established communication with an external C2 server.

Techniques Used:

• Scheduled task creation
• Trusted binary abuse for payload execution
• Deployment of a beacon to establish C2 communication
• Monitoring of system performance metrics to evade detection

Privilege Escalation & Lateral Movement

The attacker sought to escalate privileges by dumping credentials and hijacking a process running with administrative rights. They used a specific Windows process to gain higher privileges. During this phase, a failed attempt to execute a Python-based script was observed, along with a leaked portion of their C2 framework source code.

Tactic: Privilege Escalation & Lateral Movement

Techniques Used:

• Dumping credentials for domain admin access
• Hijacking a legitimate Windows process
• Python-based C2 framework
• Discovery of attacker’s C2 server details due to an operational mistake
• RDP used for lateral movement
• Attempted lateral movement using Windows Admin Shares

Post-Exploitation & Impact

The attacker attempted to exploit a known vulnerability to gain persistence and further control over the compromised network. A ZIP archive containing exploit tools was dropped on the system, and an execution command was used to launch the exploit.

Tactic: Post-Exploitation & Impact – Exploit Public-Facing Application

Techniques Used:

• Exploitation of a known vulnerability
• Deployment of a ZIP archive containing malicious files
• Failed RDP access attempts with stolen credentials
• Creation of a hidden backdoor account for persistent access

What Undercode Say

This incident highlights the importance of robust cybersecurity practices, particularly in defending against phishing attacks and malware deployment. Here are some practical commands and techniques to mitigate such threats:

1. Detecting Malicious Scheduled Tasks:

Use the following PowerShell command to list all scheduled tasks:

Get-ScheduledTask | Select TaskName, State, LastRunTime 

2. Monitoring Network Connections:

Use `netstat` to identify suspicious connections:

netstat -an | findstr "ESTABLISHED" 

3. Analyzing Process Dumps:

Use `procdump` to create memory dumps of suspicious processes:

procdump -ma <PID> 

4. Blocking Suspicious IPs:

Use Windows Firewall to block malicious IPs:

New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -RemoteAddress <IP> -Action Block 

5. Detecting Lateral Movement:

Monitor RDP connections using Event Viewer:

Get-WinEvent -LogName "Security" | Where-Object {$<em>.ID -eq 4624 -or $</em>.ID -eq 4625} 

6. Analyzing DLLs:

Use `Sysinternals Process Explorer` to inspect loaded DLLs:

procexp.exe 

7. Removing Malicious Files:

Use PowerShell to delete malicious files:

Remove-Item -Path "C:\path\to\malicious\file" -Force 

8. Disabling Malicious Accounts:

Use the following command to disable hidden accounts:

Disable-LocalUser -Name "MaliciousAccount" 

9. Analyzing Logs:

Use `Log Parser` to analyze Windows Event Logs:

logparser.exe "SELECT * FROM Security WHERE EventID=4688" 

10. Securing RDP:

Disable RDP if not in use:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 

For further reading on incident response and malware analysis, visit:
– Incident Response Framework
– Malware Analysis Tools

This article emphasizes the need for continuous monitoring, employee training, and the use of advanced tools to detect and mitigate cyber threats effectively. Stay vigilant and proactive in securing your systems.

References:

Hackers Feeds, Undercode AI