In December, one of our MDR customers was targeted by a spear phishing campaign.

The campaign utilized many tactics that are popular right now and, unfortunately, continue to be successful.

Emails were sent to numerous recipients across the organization in multiple different departments.

The emails contained Microsoft Word attachments with benign-sounding names like “Bio.doc” and “CRTechnical.doc”.

The emails themselves were simplistic and contained.

Upon opening the attachment, users were prompted to enable macros.

In general, if you ever receive a Microsoft Office document and when you open it, it prompts you to enable macros…STOP!

Before doing anything else with the document, contact the sender of the document and:

• Verify the sender did indeed send you the document; if you do not know the sender report or submit the email to your company’s security or IT department
• Verify the sender mailed you a document with embedded macros. If they didn’t or do not even know what a macro is, report or submit the email to your company’s cyber security or IT department

When a user enables such a macro, they give the file permission to run or execute code.

That code can contain all types of obfuscated malicious instructions and might look something like this:

In this spear phishing case, by enabling the macro, users granted the file permission to execute PowerShell.

While PowerShell is a very powerful Microsoft Windows utility that serves many benign and beneficial purposes, in the hands of hackers, it’s also one of their most useful and heavily utilized tools.

Here’s where this traditional looking spear phishing campaign plot took a turn toward a little more than interesting.

When the PowerShell tool is launched, it typically requires input that tells it what exactly to do.

This input can be a script input file (often ending in extension .ps or .ps1), or it can be an actual list of commands directly passed to Powershell.

Here’s the PowerShell command that this particular malware attempted to launch:

Look suspicious?

It should – it’s jibberish! But how do we make sense of this?

To a carefully trained eye – or one of our amazing Blackpoint SOC analysts – certain patterns stand out.

For example: this command argument is using an obfuscation technique that reads arguments in reverse.

Now that we have a sense of what this is, let’s see if we can “untangle” it.

By running it through a reverse string tool such as rev in Mac OSX or Linux or via a website like https://codebeautify.org/reverse-string, we get the following output. Now we’re getting somewhere!

Next, our MDR analysts investigated this IP address and found that it pointed to a server located in Russia.

Our threat research team was able to determine the final payload was the Ursnif trojan utilizing different first stage techniques that bypassed Email Security and had low Virustotal detections at the time of the campaign.

Let’s summarize the highlights of this attack:

Suspicious Email -> Check

Microsoft Attachment -> Check

Have to Enable Macro -> Check

PowerShell Launched -> Check

Obfuscated Command Line Arguments or odd script file -> Check

External File Request -> Check

Game Over ? -> Luckily not for our client who was utilizing Blackpoint’s MDR service

Interested in how to protect your own infrastructure from advanced malware and malicious cyber actors? Contact us below to see how SNAP-Defense and Blackpoint’s Managed Detection and Response (MDR) service can help secure your organization in less than an hour!