The next installment of our STEEP#MAVERICK emulation series highlights a defense evasion technique leveraged by the threat actor shortly after initial infection. Similar to many targeted campaigns, initial infection begins with a phishing email containing a malicious attachment. In STEEP#MAVERICK, the email contained a compressed (.zip) file with a shortcut (.lnk) file inside. The shortcut file attempts to hide its execution by calling forfiles.exe.
Our emulation begins here with a step where the threat actor calls forfiles.exe to copy powershell.exe to C:\Windows and rename it to AdobeAcrobatPDFReader.
We then use the newly renamed powershell to obtain the name of the domain the device belongs to and if a hypervisor is present. The threat actor did not perform this step in the campaign but we include it here to provide a detection opportunity.
The following step is where we mimic a C2 connection to hxxps://terma[.]dev/0 to pull down the initial stager.
Clean-up steps to remove the renamed powershell.exe file are included after a 3 minute delay.
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.