Threat Emulation: STEEP#MAVERICK

Executive Summary

Researchers at Securonix Threat Labs recently reported a new cyber espionage campaign that is targeting defense contractors in the United States and abroad. What makes this particular campaign standout is the threat actors' attention to operations security and anti-analysis techniques used in the malware. STEEP#MAVERICK seems to have begun in late summer 2022 with attacks targeting multiple military contracting companies. Attacks focusing on defense contractors and suppliers have only increased in recent years and many of these campaigns have involved nation-state backed threat actors based in China, Russia, North Korea, and other countries.

Cyber Threat Intelligence

Profile: 

STEEP#MAVERICK, like many campaigns, begins its attack chain with a phishing email containing a compressed (.zip) file with shortcut (.lnk) file to a malicious PDF document. We have previously covered this initial access technique in our July #ThreatThursday featuring Qakbot. When the victim double-clicks the malicious file it kicks off a complex chain of stagers. Each stage is heavily obfuscated and written in PowerShell. Researchers observed eight stages; stage seven being where the interesting anti-analysis and counter-forensics techniques take place. Described as outright hostile by Securonix, when it detects sandboxing the malware will disable the system’s network adapters, use netsh to configure the firewall to block all inbound/outbound traffic, and invoke PowerShell’s ‘Remove-Item’ commandlet to delete everything in the user’s profile, G:\, F:\, and E:\ drives before it shuts down the device with ‘Stop-Computer’. Currently this activity is not attributed to a particular nation-state. However, if the system’s language is set to Chinese or Russian, the malware will only shut down the device and exit.

Aliases: 

N/A

Targets:

  • Defense contractors (U.S. and others)

Objectives:

  • Cyber Espionage

Capabilities:

  • Anti-Analysis/Defense Evasion
    • AMSI evasion
    • Sandbox detection
    • Disable Logging
    • Windows Defender Bypass
  • Persistence
    • Pcalua.exe is used to call wsreset.exe
    • Executes script stored in modified registry key
    • Scheduled Task creation
    • WMI Subscriptionn
    • Registry modification to embed malicious script
    • Startup Shortcut and Lolbins

Attack

Automated Emulation Plans

We have prepared several STEEP#MAVERICK emulation plans:

Detection Opportunities

As always, detection opportunities for each emulation are provided. Please see the respective blog posts linked above for additional details.

Respond

If any of the alerts are detected in the environment, the response team should determine the depth of the Kill Chain, collect artifacts, and answer the following questions:

  • Was the installation successful?
    • What are the persistent mechanisms?
  • Is Command and Control (C2) successful?
    • What are the domain names, IP addresses, ports, and protocols used?
  • Are there observations of Actions on Objectives (AOO)?
    • Usernames, Passwords, Other?
    • What are they?
    • Did the actor laterally move?
    • Was sensitive data taken?
  • What caused the initial compromise?
    • Vulnerability, Control, Human?
    • How was it delivered?
    • What was exploited?

Once it has been determined how deep the intrusion goes, containment, eradication, and recovery should begin.  After recovery, lessons learned should drive additional courses of action (COAs) to thwart the threat should it return, such as implementing additional security controls. As always, please follow your organization's response plan and evidence retention policies. We also recommend leveraging NIST SP 800-61 Rev. 2.

This post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About the Authors

Jake Williams and Kristen Cotten of SCYTHE’s CTI team contributed to this report and the creation of the threat emulation. Christopher Peacock assisted with QA and performed detection engineering.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.

References