Just under two years ago, this global law firm chose F-Secure Countercept to increase their detection and response capabilities and reliably defend them against the advanced cyber threats they faced.Today, we are sharing this recent case study from their estate, because it offers an excellent illustration of why Countercept’s managed detection and response service is so effective for this client. The mid-level threat encountered here demonstrates many of the offensive techniques we detect on a day-to-day basis, and will give you a clear insight into how our approach works.
- A highly targeted spear phishing message was sent to an employee. The email referenced personal details and compelled the user to click on a malicious URL contained in the message.
- The URL was opened and an initial payload was installed on the endpoint, bypassing the automated email filtering system.
- This payload initiated a number of staged CMD and PowerShell commands, which downloaded further instructions from a command and control server.
- More chained commands were made, leading to the eventual use of BITSAdmin to download an encoded text file, and another encrypted text file.
- The encoded text file was decoded into a malicious executable using Certutil. Following further inspection, this executable was deemed to be SnatchLoader.
- It was at this stage that the attack was stalled by AppLocker, because the final executable was not instructed to run via a legitimate Microsoft tool (unlike the previous stages of the attack).
Why it bypassed so many automated controls
The attack used several techniques to obfuscate and avoid detection:
- Dozens of small, light stages were used in the attack, meaning the malware was less likely to raise alerts.
- The stages were facilitated by legitimate Windows tools (CMD, PowerShell, BITSAdmin and Certutil).
- The attack used Invoke-Expression commands to run code in-memory.
- The commands used were obfuscated using non-alphanumeric characters.
- Encoded versions of the malware were downloaded as text files, bypassing many popular prevention controls such as sandboxing tools.
How we detected it
Our technological and investigative capabilities are driven by our understanding of offensive techniques. As a result, the unusual use of Microsoft binaries, the obfuscation techniques, and the combination of stages quickly drew the attention of our threat hunting team. Within three and a half hours from the initial infection, detection and investigation had occurred, and response had been initiated.
The client’s point of view
SnatchLoader is being currently used by attackers to load the well-known Ramnit banking Trojan. While the attack didn’t get this far, banking Trojans are used to harvest banking credentials when infected machines visit certain banking websites. Ramnit is also known for its ability to scan documents on the hard drive for usernames and passwords. The effective and prompt combination of prevention, detection and response stopped the attack early, as well as the possibility of it escalating.
 SnatchLoader is a dropper – a type of malware that is used to load other malware onto infected computers.
 AppLocker is a Windows tool which is used to define which users can run particular applications – in this case, the malicious executable was not listed as an allowed application.
 Conducting an attack in stages also means that if it is detected, much of the attacker’s code would not be available for analysis since it had not been deployed yet, increasing reusability.