Antigen Security was engaged by the victim client to investigate a possible Business Email Compromise. Business Email Compromise (BEC) is a cyberattack involving the hacking or spoofing of a business email address. The victim of a BEC attack typically receives an email that appears to come from a trusted business that looks and feels genuine. But frequently it contains a phishing link, a malicious attachment, or a request to transfer money to the attacker. The client reported receiving multiple such phishing emails including ones with malicious Excel Spreadsheets attached. Following payload execution, “invoice.xls” three dropped files: yhjlswle.vbs, dkwtoaqzbs.hfb, and ughldskbhn.bat on the host, all of whom were quarantined by the endpoint detection and response tool.
During the investigation, Antigen Security assessed with confidence that this was a targeted Emotet malware campaign in which approximately 135 malicious emails were sent to the client’s employees between February 7, 2022 and February 8, 2022. Emails sent by the threat actor were tailored to lure users with factual company details such as specific employee names and facility conference rooms.
The threat actor staged 7 waves of phishing between February 7, 2022 and February 8, 2022. During the first phishing wave, the threat actor successfully lured one employee into opening a suggestively named Excel file embedded with a malicious payload. Many of the later phishing emails contained details that suggested the initial victim user’s email was exfiltrated and incorporated into the subsequent phishing waves based on suggestive email subject lines. The next 6 phishing waves were seen to be unsuccessful. In total, the phishing emails received by the client contained a total of 28 unique phishing malware payloads, 3 unique code blocks, and 43 unique domains used as threat actor infrastructure.
Antigen Security collected triage-level data from the single infected host machine and conducted extensive forensic analysis of the device. Through analysis Antigen Security was unable to identify any evidence of successful lateral movement or signs of persistence. However, upon further review of the different malware targeting the client it was clear to Antigen Security that lateral movement was the threat actor’s intent. Antigen Security confirmed that the EDR tool quarantined the malware before any attempt was successful.
Figure 1: Analysis of Malicious Executable Sent to Client
Figure 2: Invoice.xls ATT&CK Matrix
The client’s EDR solution played a crucial role in stopping the spread of the Emotet malware. When the malicious executable was opened from the first phishing email, the client’s EDR solution was able to successfully quarantine the malware before it was ever able to run. Had this payload been properly executed, the threat actor would have been able to secure a foothold and laterally move throughout the network. EDR solutions are a great defense against cyber-attacks, particularly when used in tandem with cybersecurity best practices.
- Office365 best practices are the most effective way to avoid a business email compromise.
- Ensure that your users are trained to recognize and easily report phishing attacks and employ strong passwords.
- Enable MFA so that users will have to utilize a 2-step verification at logon.
- Block corporate password reuse to better enable strong passwords and limit the attempts at password guessing from threat actors.
- Deploy an anti-malware solution and deploy anti-phishing defenses.
- Disable basic authentication in order to stop proxy authentication an attacker could leverage. Furthermore, you also want to identify which conditional access policies make sense for your client/company.
- Lastly, ensure that audit logging is turned on to ensure logs are available to review in the event of an incident or for self-auditing.
During the investigation, Antigen identified phishing emails that suggested the initial victim user’s inbox was compromised. However, the second through seventh wave of phish appeared to have email content from the known compromised user’s account seeded in the subject lines, according to the IT staff. If true, it means the threat group ingested the compromised user’s email, parsed the email chains for details, and composed the next wave of tailored emails together with those parsed details in approximately 1 hour based on the observed timeline of events. Achieving that in relatively short window of time would most be most practical via polymorphism, a feature later detailed in the The Hacker News. Rapidly changing tactics mid campaign demonstrates sophistication, but to intelligently automate it via polymorphic code it makes it all the more remarkable.
Get Help from Our Experts
As sophisticated attacks such as BECs have become common, it’s important to be prepared with an incident response plan. Antigen Security can help you determine the next steps in the aftermath of an attack. Schedule a meeting with one of our experts to get started.
Suspicious C2 Domains and IPs
|https://dwwmaster[.]com/wp-content/ebHTB4UF2/||China||Huawei Cloud Service data center||18.104.22.168|
|http://royalsnackmyanmar[.]com/wp-includes/GMtz6DxM/||Thailand||GMO-Z com NetDesign Holdings Co., Ltd.||22.214.171.124|
|http://speedrankingsystem[.]de/wp-admin/k63ZcimPsE6/||Germany||Host Europe GmbH||126.96.36.199|
|https://edu-media[.]cn/wp-admin/cKi/||China||Hangzhou Alibaba Advertising Co., Ltd.||188.8.131.52|
|https://rtd[.]b2bpipe[.]cn/wp-content/8ESRhIJAIRh/||China||Hangzhou Alibaba Advertising Co., Ltd.||184.108.40.206|