In the last month or so, a number of security companies spotted attackers targeting a variety of organizations around the world with spear-phishing emails delivering PowerShell backdoors (some of them fileless), misusing legitimate utilities, and communicating with C&C servers through DNS traffic.
In February, Kaspersky Lab researchers said the targets were mostly banks, and that the initial infection vector was unknown. Then, in March, Cisco Talos researchers detailed how the backdoor RAT used by the attackers uses DNS TXT message requests to talk to the C&C server, and FireEye said that they detected similar attacks targeting employees of US-based businesses that are in charge of filing reports with the US Securities and Exchange Commission (SEC).
Now, Morphisec researchers say that the three attacks were likely performed by the same criminal group, by using a sophisticated fileless attack framework.
The group’s modus operandi
“Initial infection begins when the weaponized Word document delivers a PowerShell agent that opens a backdoor and establishes persistency. After this point, in most cases, the rest of the PowerShell commands are delivered through the command server,” Morphisec researchers summarized the attack.
“For some targets, the attack was fully fileless, eventually delivering a Meterpreter session directly to memory. In other cases, the password-stealer LaZagne Project or another Python executable was delivered and executed. After additional investigation, we identified controllers for different protocols including Cmd, Lazagne, Mimikatz and more.”
The researchers also got to (for a brief moment) interact with the attacker via the PowerShell protocol used for the attack delivery, and poke around one of the C&C servers.
And even though the attacker soon after that blocked one of the researchers’ IPs and shut down that particular C&C server, the researchers managed to gain some insight into the setup.
“We found and downloaded a set of malicious files, some of them well-known and used for Mimikatz attacks, others are PowerShell exploitations and User Account Control (UAC ) exploitations,” they noted, and added that their brief interaction with the threat actor “made clear that the hacker is part of a group which limits their exposure by targeting specific companies only. ”
FireEye said before that they believe the attacks to be tied to a threat group they named FIN7.
Morphisec has recommended a few remediation steps that companies that have been hit can go through.
They also noted that it’s difficult to spot the attack. Not only are the weaponized Word documents detected as malicious by just a handful of AV solutions, but the malware they deliver “resides solely in memory and commands are delivered directly from the Internet, with no executables on disk, making it basically invisible.”
“The cybersecurity reports we see are often about new possibilities of attacks or which companies (and customers) are attack victims. The actual threat actors, i.e., the hackers who execute highly targeted attacks against high-profile targets, remain in the dark,” noted Michael Gorelik, VP of R&D at Morphisec.
“This is not important to security vendors who study attacks so they can prevent them in the future. But the problem of attributing specifics attacks to a group of threat actors is an acute one for authorities all over the globe. Being able to know who is responsible for what attack is vital information in the fight against cybercrime. These additional details enable authorities to know who is responsible for a crime, how they are connected, and identify imitators. In Morphisec’s research, we were able to attribute several high profile attack campaigns to single group.”