Trojan Malware, Powershell Attacks, and Credential-Stealing 

Between September 25 and October 02, 2024, Blackpoint’s Security Operations Center (SOC) responded to 703 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved confirmed or likely threat actor use of:

• Trojan malware likely for collection of sensitive data.
• PowerShell scripts in an attempt to collect sensitive data.
• Trojan/Stealer malware likely for credential access.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Legal Services
• Attacker methods:
  • Trojan malware detection
  • .js initial access file
• Recommended mitigations:
  • Create and implement an employee security training program.
  • Deploy monitoring and remediation services.
  • Regularly audit environment.

Incident Timeline for 2024-09-23 and 2024-09-25

On September 23, 2024, Blackpoint’s MDR technology alerted to Wacatac malware on a host of a Legal Services partner, specifically flagging a “setup.msi” file located in the %APPDATA%\Local folder. The file appears to be related to trojan malware detections, according to VirusTotal. Initial investigation determined the file was downloaded onto the host via the execution of a JavaScript file that was downloaded by a user. Once the JavaScript file was executed, it pulled down the setup.msi binary.

Additional investigation determined that the JavaScript file came from a malicious email. Outlook was observed spawning Edge, which called out to a domain, “ok[.]me”. The A record of the domain pointed to an IP hosted in Russia. Out of an abundance of caution, Blackpoint’s SOC isolated the affected host.

On September 25, 2024, Blackpoint’s MDR technology alerted to the file’s presence on another host; Blackpoint’s Active SOC isolated the host and contacted the partner to relay the identified information.

More About Trojan Malware

Trojan malware is a type of malware that disguises itself as a legitimate program or file to gain initial access to victim organizations. Trojan malware can be used by attackers to perform several actions including stealing data, deploying second-stage malware payloads, and providing control of the compromised devices.

These malware families are often attractive to threat actors because they provide defense evasion by disguising itself as a legitimate process and provide access for additional malware including ransomware, cryptomining malware, and information stealers.

APG Threat Analysis for Trojan Malware

Threat actors will almost certainly continue to deploy trojan malware on targeted environments into 2024. Incidents involving Industrials partners in August 2024 and Healthcare in February 2024 support the Blackpoint APG’s assessment.

Mitigations

• Create and implement an employee training program: Ensure employees receive training on social engineering tactics, including phishing, and how/when to report to an incident response authority.
• Deploy monitoring and remediation services: Monitoring and remediation services can help detect malicious behavior patterns within the environment.
• Regularly audit environment: Auditing the environment on a regular basis can help quickly identify anomalous files, scheduled tasks, and behaviors.

Topline Takeaways

• Industry target: Consumer Cyclicals
• Attacker methods:
  • Scheduled tasks – 15 tasks named 1-15 to execute .bat and .vbs scripts
  • PowerShell scripts using -ExecutionPolicy Bypass option
• Recommended mitigations:
  • Scripting language controls.
  • Ensure the use of least privilege access controls.

Incident Timeline for 2024-09-25

On September 25, 2024, Blackpoint’s MDR technology alerted our Active SOC to suspicious PowerShell alerts on the host of a Consumer Cyclicals partner. Initial investigation found that the activity was tied to two different PowerShell execution; both scripts started with the -ExecutionPolicy Bypass option that allows PowerShell to bypass some of the built in restrictions.

Further analysis into the host found that the source of the activity appeared to be related to a batch script called Antivirus-Update.bat, which was located in the user’s %APPDATA%\Local. The Blackpoint Active SOC also observed 15 different scheduled tasks on the host named 1-15. The tasks were either executing a 1.bat, 2.bat, 855443.vbs, 866554.vbs, or 844332.vbs. Blackpoint’s SOC isolated the affected host and deleted the scheduled tasks.

Blackpoint’s Adversary Pursuit Group (APG) conducted additional research into the scripts and identified the following:

• tmp9EB6.tmp.ps1 is a PowerShell script that automates user-like interactions with Microsoft Edge over a period of 60 hours. It conducts idle detection, automated browsing, screen overlay, user activity monitoring, and process control.
• Antivirus-Update.bat was used to created the scheduled tasks for persistence.
• 5 is a PowerShell script that performs multiple actions over a period of 9 minutes, including capturing screenshots, collecting system information, prepares the data for transmission, sends the data to a remote server, and deletes the temporary screenshot files and repeats the process after a 15 second wait period.

More About Malicious Use of PowerShell Scripts

PowerShell is a Microsoft tool that combines a command-line shell and scripting language to automate tasks, build, test, and deploy solutions. PowerShell is cross-platform, built in Windows systems, and can be executed in memory.

PowerShell scripts are an attractive tool for threat actors due to their use, the ability to blend into “normal” activity, and the ability to use encoded PowerShell commands to obfuscate their activities. In this incident, the threat actor appeared to use PowerShell scripts in an attempt to steal information including screenshots and system information.

APG Threat Analysis for PowerShell Scripts

Blackpoint’s APG predicts the continued use of PowerShell scripts by threat actors for execution in 2024, as observed in incidents involving our partners in Industrials on August 21, 2024, and Government on April 19,2024. Additionally, Blackpoint’s APG has tracked 35 ransomware operations and 21 threat actors that have been reported to use PowerShell scripts for execution.

Mitigations

• Scripting language controls: Implement strict controls on the use of scripting languages as threat actors often rely on them for execution.
• Least Privilege Access Control: Limit user access to the necessary resources to reduce the ability to execute scripts.

Topline Takeaways

• Industry target: Professional & Commercial Services
• Attacker methods:
  • Suspicious PowerShell
  • Stealer/Trojan malware
• Recommended mitigations:
  • Enforce multi-factor authentication (MFA) on all user accounts.
  • Provide a Dedicated Software Center.
  • Use strong, unique passwords.

Incident Timeline for 2024-09-29

On September 29, 2024, Blackpoint’s MDR technology alerted to a suspicious PowerShell on a host of a Professional & Commercial Services partner. Initial investigation identified that the PowerShell script reached out to a malicious domain, “finalstepgo[.]com”, and retrieved an executable, “clickcharts_[3MB]_[1sig].exe”, that was detected and alerted to OS credential dumping.

Additional analysis conducted by Blackpoint’s APG team identified the .exe file was identified as a Trojan/Stealer, with detections “stealc”, “filerepmalware, and “stealerc” on VirusTotal. The identified domain has also been reported to be malicious and has previously been linked to multiple malicious files, IP addresses, and malware.

More About Stealer Malware

A stealer is a trojan malware that steals sensitive information from the compromised environment. These types of malware variants are often used to gather credentials and send collected information to an attacker’s command and control (C2) server.

Stealer malware can often be found for sale on cybercriminal forums, some as low as $50 for a monthly subscription, which makes this type of malware easily accessible for threat actors of all skill levels.

APG Threat Analysis for Stealer Malware

APG predicts continued deployment of stealer malware in 2024, which is supported by incidents involving a Technology partner in August 2024 and an Industrials partner in August 2024. Reports from Recorded Future, Kroll, and Cado Security have detailed threat actors use of stealer malware since the start of 2024.

Mitigations

• MFA on All Accounts: Enforcing MFA can prevent attackers from exploiting compromised credentials.
• Dedicated Software Center: Provide a dedicated software center to ensure employees can easily access necessary applications and limit the opportunity for accidental malware downloads.
• Strong Password Policies: Implement unique, strong passwords, rotate them regularly, and use a secure password manager.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.