Examining MITRE techniques in malicious incidents: part 1
In today's digital landscape, the battle between cybersecurity defenders and threat actors continues to escalate. Cyberattacks are more sophisticated, making it essential for cybersecurity practitioners, researchers, and organizations to adapt and improve their defenses. One tool that has become increasingly useful in helping to understand, categorize, and defend against these evolving threats is the MITRE ATT&CK® Framework.
MITRE ATT&CK, which stands for adversarial tactics, techniques, and common knowledge, provides a comprehensive classification of tactics and techniques used by threat actors during the various stages of an attack. It has become a heavily used foundational framework for cybersecurity professionals looking to better understand how these techniques are employed and what can be done to detect and mitigate them.
In this multi-part series of articles, we will dive into frequently exploited MITRE techniques observed during malicious incidents. Our goal is to provide real-world examples of ConnectWise SIEM™ data and threat reports shared by fellow cybersecurity researchers to uncover how these techniques are being used by threat actors and provide recommendations on how to prevent and counter these techniques.
In this first installment, we will focus on two key techniques that often work in tandem to grant initial access to the threat actor: spearphishing attachment and malicious file.
T1566.001 | Phishing: spearphishing attachment | Tactic: initial access
Technique overview
Spearphishing is a targeted form of phishing where a specific individual or company is sent an email containing tailored social engineering content so the threat actor can more successfully gain access to victim systems. Spearphishing emails may contain malicious links to download malware, but more commonly, the malware is directly attached to the email in the form of a spearphishing attachment.
The spearphishing email message is often customized to the recipient, including the recipient's name, job title, company, or other convincing pieces of information, and will generally contain a tone of urgency or authority to convince the user to take action. The attachment itself will often be customized to persuade the user that it is legitimate and significant. The attachment may be given a compelling name, such as a financial or legal document, a resume, or something related to the user's company or industry.
In the case of spearphishing attachments, the action that the threat actor wants to happen is for the user to download or open the attachment. Threat actors use a variety of different file types and file content to accomplish their goals. One of the more popular types of files used in spearphishing attachment attacks is document files, including Word documents, PDFs, or CSV files. These spearphishing attachments are generally made to look like real business documents, such as contracts, invoices, or other relevant items. Since users expect to receive documents like this during everyday business activities, it can be easy to miss the malicious intent.
Observed technique usage
Since Microsoft made the decision to block VBA macros by default for files coming from the internet, including email attachments, the use of Office files as spearphishing attachments has seen a decline. However, threat actors have adapted.
Earlier this year, Qakbot malware was observed being distributed via reply-chain phishing emails, whereby the threat actor takes a stolen legitimate email exchange and replies back with malicious links or attachments. The threat actor then attached a malicious PDF document titled "CancelationLetter-[number].pdf" to the thread, which incited the user to click on a button that led to the download of a ZIP file containing a Windows script file (WSF).
In addition to Qakbot, cybersecurity analysts have encountered instances of potential GuLoader deploying RemcosRAT infections that originate with a malicious tax document-themed PDF file. It has been observed that the file directs the user to a mega drive to download a ZIP file that contains a shortcut file (LNK). The shortcut then runs wscript.exe to use the LOLBAS SyncAppvPublishingServer.vbs script to invoke PowerShell to download two files, one of which launches another executable to connect to the C2 server. These attacks often occur during peak seasons in the financial industry, so victims may have the disadvantage of dealing with both the relevancy and urgency of the message.
The use of HTML files as spearphishing attachments is another common technique employed by threat actors. Upon opening, the HTML file will render as a webpage, which could look like a login page, a form, or even a generic template that aims to harvest credentials or other sensitive data or to trick the user into clicking it to download another file.
One example we observed of this was another instance of Qakbot. The user received an HTML file attached to an email that, when clicked, went on to download a malicious JavaScript file. This then set off a chain of execution, including the execution of the JS file via Wscript, which subsequently called on PowerShell to execute a heavily obfuscated encoded command, which launched an outbound network connection. The PowerShell process also created a malicious DLL file that would be used by RunDLL32 to attempt to execute the payload. Similar activity was also noted earlier this year.
While this is less commonly observed, it is important to keep in mind that threat actors may change their tactics, including the use of password-protected spearphishing attachments. When the malicious payloads are hidden within benign-looking formats and are encrypted, they can more easily pass through other cybersecurity controls and directly to the user. Commonly, a password will be provided to the user within the content of the attachment in order to open the file, but the use of a password is not always necessary. The North Korean Lazarus group was observed delivering malicious Office documents within password-protected ZIP files, which, when opened, appeared to be a normal Word document but actually launched macros to infect the user's system. Emotet was also observed using a password-protected archive file to drop CoinMiner and Quasar RAT onto systems. In these attacks, it was observed that spearphishing attachments masquerading as invoices in a ZIP or ISO format contained a nested self-extracting (SFX) archive. Despite the second self-extracting RAR being password-protected, the user didn't even have to provide a password for it to extract and execute itself.
Potential countermeasures
With estimates that upwards of 90% of cyberattacks start with phishing, it is clear that spearphishing attachment is a critical technique that threat actors use to gain initial access. Unfortunately, it is also challenging to prevent these attacks from happening when threat actors continue to shift the methods used to achieve their goals.
While antivirus software may help to detect suspicious files and intrusion prevention systems can be used to block potentially malicious activity, these are not fail-proof solutions. Within an enterprise environment, it may be beneficial to block unknown attachments with certain unusual file types or restrict content originating from the internet. Ultimately, user training is critical in preventing these attacks from being successful. As threat actors can craft increasingly targeted and polished spearphishing emails and attachments with the help of artificial intelligence, it will be necessary to put more effort into helping users become savvier in recognizing and reporting these attempted attacks.
T1204.002 | User execution: malicious file | Tactic: execution
Technique overview
The malicious file technique relies primarily on the user taking some action, such as downloading or opening a file, to allow the threat actor to gain execution. While this often coincides with the adversary using the previously discussed spearphishing attachment technique to get the file directly to the user, it could also occur as part of a bigger deception to a user looking to download specific software or files.
Threat actors may use masquerading in their spearphishing attachments to make them appear relevant or direct users to download malware disguised as a legitimate application or file through SEO poisoning or cracked software sites. Threat actors may also use different formats of malicious files to trick the user into executing them. One obvious way is the use of an executable file, or .exe, which contains code that can be executed by the operating system. These types of files are often used to launch malware.
Another common file format is the use of document files to carry malicious macros, scripts, or embedded objects. This could include Word document files, PDFs, or Excel files, and when opened, these files can start malware downloads or execute malicious scripts. Archive files are a third format that includes the use of files like .zip or .rar.
These types of files make it easy for the attacker to hide the true malicious payload, especially if the archive is password-protected. Threat actors can also use script files, such as .js, .ps1, or .vbs files, in order to have the user execute a script that may download and execute malware or perform another malicious action.
Recently, there has also been an uptick in the usage of shortcuts, or .lnk files, which can be used to launch malicious scripts or executables when the user clicks on them. Further complicating matters is the fact that Microsoft hides file extensions by default. A user may unknowingly open a harmful file that has been disguised as an ordinary document using a benign name or recognizable icon.
Observed technique usage
Recent observations of this technique vary in file formats and delivery methods, so let’s look at a few examples to explore this further. As stated previously, threat actors will often use spearphishing to get a malicious file to the user for execution. These phishing emails may contain malicious attachments but may also contain a malicious link that, when clicked, leads to the download and execution of a malicious file.
In one example of a NetSupportRAT attack, we observed that the user received a phishing email with a malicious link that was clicked and led to the opening of a malicious URL. Once the site was opened, a malicious JavaScript file titled “Notice_5_apr_5929106.js” was downloaded, which appeared to be a stager. The stager was then executed with Wscript, which subsequently led to an obfuscated PowerShell command being launched, which then proceeded to make outbound network connections.
While users should be wary of suspicious links in email, it should be emphasized that they may also be found on websites, in another file, or in an instant message. Additionally, malicious ads, or malvertising, may lead a user to click on a link that leads to a download on a compromised website. Users visiting compromised websites may be vulnerable to drive-by downloads, unknowingly triggering the download and execution of malicious files.
Recently, Gootloader has been observed using SEO poisoning to drive users to malicious sites where threat actors have planted malicious files. Frequently, users are searching for some type of “agreement,” which could be a financial or legal template that they need for business activities, and they are tricked into visiting compromised sites that end up appearing at the top of the search results. Once the user downloads the fake document, the chain of infection begins.
In similar cases, users have downloaded and executed malicious files that claim to be cracked software or pirated media files. In another incident, we observed a user downloading a malicious version of Epic Games Launcher named “EpicGamesLauncher_87806.iso.” The user proceeded to extract the ISO file using the 7Zip utility, which created an executable file that was launched. This led to the execution of an encoded PowerShell command that created Microsoft Defender exclusions, disabled Google Chrome’s software reporter tool, and began initiating outbound network connections.
In another incident that was attributed to SectopRAT/Arechclient2, the initial access point happened when a user downloaded what appeared to be a version "Adobe® Flash® Player Installer/Uninstaller," innocuously named “AppInstaller 10.9.exe,” from the internet. After the user executed the downloaded file, a series of events was initiated, including several outbound network connections, a renamed PowerShell utility, “x4akgiMqllypH1k.bat.exe,” executing a heavily obfuscated command and the execution of a VBS script via Wscript.
Potential countermeasures
When it comes to defending against malicious files, your best bet is to make sure your users don't execute anything that could harm the network. To ensure users are aware of common phishing characteristics, user training is critical. Educating users to be wary of suspicious unsolicited emails that have unusual attachments or links, urgent requests, or uncommon email headers will go a long way in preventing the user from executing malicious file attachments or clicking on malicious links.
Another precaution is to enable filename extensions in Windows so users know exactly what file type they are dealing with. Additionally, ensuring that users only download approved applications from legitimate sources is crucial. Comparing file hashes of downloads to see that they match against the legitimate file can be useful, but it’s unlikely to be performed by the average user.
If appropriate, organizations may choose to block the execution of code via application control or script blocking. This can prevent unintended execution of unapproved applications and scripts. In addition to these mitigation strategies, you may also want to detect new file and process creations. This can help to provide early detection that’s not reliant on previously known bad file signatures or patterns. Look for anomalies in processes, such as legitimate processes spawning unusual child processes and processes that are not part of normal system or application behavior.
Conclusion
In this first part of our series exploring heavily used MITRE techniques, we’ve gained a deeper understanding of the spearphishing attachment and malicious file techniques by taking a closer look at how they are being implemented by threat actors.
Both techniques rely heavily on user action, using social engineering and deception to trick users into helping threat actors gain initial access to an environment and progress their objectives. By examining these techniques side-by-side, we can start to view the similarities, as well as differences, in how the techniques are carried out. This comparison can help to determine the most effective defensive strategies for combatting these threats in your environment.