Page 65 - Veritas
P. 65
CASE STUDIES
employee’s desire to help a colleague and, perhaps, act first and think lat-
er.”
Attack Methodology:
Attack Methodology:
The first line of attack was through social engineering. The threat actor
pretended to be a company employee, specifically one of the system en-
gineers. The e-mail exactly mimicked an invitation from cloud service and
was pretending to appear as sort of a weekly report. Given the impersonat-
ed sender’s actual role within the company, this wasn’t only expected, but
the specified document.
They used servers that allow them to send an e-mail anonymously, which
is how they managed to defeat the Security Protection Factor (SPF) within
the place to stop the victim’s domain from being spoofed.
Several links inside the email body, including the one to just accept the in-
vitation, had been replaced with bit.ly shortened URLs. But all the servers
were down at the time of the investigation.
When the target clicked the primary link, the link triggered a download of
a .zip file, and inside that zip file were two more files named “Password.
txt.lnk”: the “weekly_report.doc” file was password protected which made
the target more convinced that files are genuine.
The string is executed as a script (see Appendix 2) which connects to a
different server that requests to send the “main.cs” file, which got decod-
ed from Base64 so it got passed as a script block. This script or the initial
download file wasn’t retrieved on the filesystem; however, at the same
time, the Event Log started showing messages containing parts of Pow-
erShell code (channel Microsoft-Windows-PowerShell/Operational, event
ID 4104). Pieced together, this code was found to perform several tasks:
• Writes a long string, which decodes to a script, to the user’s APPDATA
followed by “\Microsoft\Windows\Start Menu\Programs\Startup\appView.
js”;
50 VERITAS
