Case Study: Defending a major law firm

The attack

1. A highly targeted spear phishing message was sent to an employee. The email referenced personal details and compelled the user to click on a malicious URL contained in the message.
2. The URL was opened and an initial payload was installed on the endpoint, bypassing the automated email filtering system.
3. This payload initiated a number of staged CMD and PowerShell commands, which downloaded further instructions from a command and control server.
4. More chained commands were made, leading to the eventual use of BITSAdmin to download an encoded text file, and another encrypted text file.
5. The encoded text file was decoded into a malicious executable using Certutil. Following further inspection, this executable was deemed to be SnatchLoader[1].
6. It was at this stage that the attack was stalled by AppLocker[2], because the final executable was not instructed to run via a legitimate Microsoft tool (unlike the previous stages of the attack).

Why it bypassed so many automated controls

The attack used several techniques to obfuscate and avoid detection:

• Dozens of small, light stages were used in the attack, meaning the malware was less likely to raise alerts.[3]
• The stages were facilitated by legitimate Windows tools (CMD, PowerShell, BITSAdmin and Certutil).
• The attack used Invoke-Expression commands to run code in-memory.
• The commands used were obfuscated using non-alphanumeric characters.
• Encoded versions of the malware were downloaded as text files, bypassing many popular prevention controls such as sandboxing tools.

How we detected it

Our technological and investigative capabilities are driven by our understanding of offensive techniques. As a result, the unusual use of Microsoft binaries, the obfuscation techniques, and the combination of stages quickly drew the attention of our threat hunting team. Within three and a half hours from the initial infection, detection and investigation had occurred, and response had been initiated.

The client’s point of view

SnatchLoader is being currently used by attackers to load the well-known Ramnit banking Trojan. While the attack didn’t get this far, banking Trojans are used to harvest banking credentials when infected machines visit certain banking websites. Ramnit is also known for its ability to scan documents on the hard drive for usernames and passwords. The effective and prompt combination of prevention, detection and response stopped the attack early, as well as the possibility of it escalating.