According to an announcement from the Israel National Cyber Defense Authority, from April 19 to April 24, there was an ongoing attack on more than 120 Israeli academic, pharmaceutical, and government organizations. A total of 250 phishing emails were involved in the attack.
The Israeli CERT Intel even mentioned that they knew this attack was coming based on many threat actors’ significant use of the CVE-2017-0199.
Using Office RTF documents, this vulnerability in the Windows HTA handler was exploited to execute malicious HTA files without user interaction.
Speculation about the adversaries behind the attack
The code of the malware used in this attack was identical to the OilRig malware (aka Helix Kitten) found by FireEye, which is known for major infiltration attempts against many organizations in the Middle East as well as Iranian individuals.
Once a victim opens one of the specially crafted phishing emails, it will download an hta file and launch it without any user interaction or macro code using the CVE-2017-0199 Vulnerability. The hta file contains VB code to launch a PowerShell script, self-written from the code inside the downloaded hta file.
From this point, the PowerShell based malware will create Schedule-Task or Startup folder as persistence, contact his C&C server using DNS exchange, and download his bat file to perform more actions using legitimate tools that exists locally on every computer in the environment. No extra tools are needed from this point.
With the bat script dump, the attacker “prepares the surface” by studying the environment he created a foothold in. Local and Active Directory reconnaissance is crucial for attackers to move laterally in the victim’s network until the adversary reaches his goals.
Recon Batch File and Credential Theft
The script executes commands such as “Net group Domain Admins” and “Net Users” to identify and target high privileged domain users and steal their credentials. Or, it uses the same command with different parameters to find sensitive and valuable servers to steal information from e.g. “Net group Exchange Trusted SubSystem”. The scripts also performs local recon using commands such as:
– Tasklist – Identify possible Security products on infected endpoint.
– Netstat – Detect any machines with connection on the endpoint.
– SystemInfo – Detect Patches, OS Version and more information about the endpoint.
– Net localgroup – Determine local administrators on the endpoint.
– ipconfig – Determine network configuration of the endpoint.
– Whoami – Determines the current running user.
Eventually, after the attacker digested all the recon information from the bat script, he’s trying to steal credentials using a modified version of Mimikatz to perform lateral movement on the victim’s network.
What security vendors call today a “fileless malware” is actually a scripting language-based malicious code instead of compiled code as a common executable. The actual code of the malware is embedded in Base64 Encoded inside a vbs and ps1 script file. When launched, it creates more files using the embedded code while it runs in-memory. Usually, the initial infection occurs using a vulnerability in webpages or documents.
Using the unlimited flexibility of PowerShell, attackers can deliver a full campaign using a single PowerShell script file.
Investigating them might be tricky because they exist in memory. Check out my blog post about investigating all Console Shells remotely using PowerShell, or you might try to enable PowerShell logging.
This “fileless malware” has the same modus operandi as other Active Directory attacks: leveraging a known vulnerability for initial infection, using PowerShell-based malware that uses legitimate tools to perform recon, stealing credentials using Mimikatz, moving laterally inside the victim network until reaching goal, and exfiltrating the stolen data using HTTP while communicating with the C&C using DNS Exchange.
Whether you’re a state-funded APT or a smaller opportunistic group, every attack uses a similar playbook to achieve their campaign goals.