According to an announcement from the Israel National Cyber Defense Authority, from April 19 to April 24, there was an ongoing attack on more than 120 Israeli academic, pharmaceutical, and government organizations. A total of 250 phishing emails were involved in the attack.
The Israeli CERT Intel even mentioned that they knew this attack was coming, based on many threat actors’ significant use of the CVE-2017-0199.
Using Office RTF documents, this vulnerability in the Windows HTA handler was exploited to execute malicious HTA files without user interaction.
The speculation about the adversaries behind the attack
The code of the malware used in this attack was identical to the OilRig malware (aka: Helix Kitten) found by FireEye, which is known for major infiltration attempts against many organizations in the Middle East as well as Iranian individuals.
Once a victim opens one of the specially crafted phishing emails, it will download hta file and launch it without any user interaction or macro code, using the CVE-2017-0199 Vulnerability.
The hta file contains VB code to launch PowerShell script, self-written from the code inside the downloaded hta file.
From this point the PowerShell based malware will create Schedule-Task or Startup folder as persistence, contact his C&C server using DNS exchange and download his bat file to perform more actions using legitimate tools that exists locally on every computer in the environment, no extra tools needed from this point.
With the bat script dump, the attacker “prepares the surface” by studying the environment he created a foothold in. Local and Active Directory reconnaissance is crucial for attackers in-order to move laterally in the victim’s network until the adversary reaches his goals.
Recon Batch file and Cred-Theft
The script executes commands such as “Net group Domain Admins”, “Net Users” to identify and target high privileged domain users and steal their credentials, or using the same command with different parameters to find sensitive and valuable servers to steal information from “Net group Exchange Trusted SubSystem”. The scripts also performs local recon using commands such as:
– Tasklist – Identify possible Security products on infected endpoint.
– Netstat – Detect any machines with connection on the endpoint.
– SystemInfo – Detect Patches, OS Version and more information about the endpoint.
– Net localgroup – Determine local administrators on the endpoint.
– ipconfig – Determine network configuration of the endpoint.
– Whoami – Determines the current running user.
Eventually, after the attacker digested all the recon information from the bat script, he’s trying to steal credentials using a modified version Mimikatz in order to perform lateral movement on the victim’s network.
What security vendors calls today – a “fileless malware” is actually a scripting language based malicious code, instead of compiled code as a common executable – the actual code of the malware is embedded in Base64 Encoded, inside a vbs and ps1 script file, when launched it creates more files using the embedded code while it runs in-memory. Usually the initial infection occurs using a vulnerability in webpages or documents.
Using the unlimited flexibility of PowerShell, attackers can deliver a full campaign using a single PowerShell script file.
Investigating them might be tricky because they exist in-memory, check out my blog post about investigating all Console Shells remotely using PowerShell, or you might try to enable PowerShell logging.
This “fileless” has the same modus of operandi as other Active-directory attacks, leveraging known vulnerability for initial infection, using PowerShell based malware that uses legitimate tools to perform recon, stealing credentials using Mimikatz, Moving laterally inside the victim network until reaching goal and exfiltrate the stolen data using HTTP, while communicating with the C&C using DNS Exchange.
Whether you’re a state-funded APT, or a smaller opportunist group, every attack uses a similar playbook to achieve their campaign goals.