Why phish when you can spear phish? According to Trend Micro, this appears to be the purpose behind a recent set of malicious emails aimed at Russian enterprises. Attackers used a combination of highly specific, socially persuasive emails to breach corporate security and then leverage existing Windows protocols to create persistent backdoors.
When successful, cybercriminals gained the ability to download and delete files, download new scripts, terminate current scripts and run shell commands. This begs the question: How can enterprises sidestep the spear and make sure employees don’t get phished?
Backdoor Break-Ins
As noted by the Trend Micro piece, malicious actors used a combination of existing exploits and legitimate Windows functions to create a reliable and sophisticated backdoor system. Researchers observed at least five runs of emails occurring from June 23 to July 27 this year. Each run sent multiple emails per target, using different emails for each run and for each target.
Infections began with emails that appeared to be from sales or billing departments with subject lines such as “rules for connecting to the gateway” or “payment of state duties.” The emails contained a legitimate-looking .doc attachment, which was actually a customized rich text format (RTF) file that leveraged known exploit CVE-2017-0199, part of Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.
This exploit let threat actors download a fake Excel spreadsheet that’s actually treated like an HTML application embedded with malicious JavaScript. It then ran two PowerShell scripts, one decoy and one that grabbed a DLL file. This file then dropped another file in the %AppData% folder with a .txt extension, but it was actually a scriptlet file loaded with more JavaScript.
The new file used Regsvr32 to bypass restrictions on running scripts and evade whitelisting protocols. Finally, another XML file was downloaded to serve as the primary backdoor.
Sound convoluted? It is — and purposefully so. The combination of continued obfuscation and abuse of legitimate command structures makes it extremely difficult to detect this malware in progress or remove backdoor code once it’s embedded in the system.
Staying Safe From Malicious Emails
While late-chain functions of this backdoor campaign are hard to detect — let alone stop — most phishing and spear phishing attacks start the same way: malicious emails.
For many enterprises, it’s tempting to view email security as something so basic, so necessary and so frequently addressed that employees couldn’t possibly allow cybercriminals to gain system access. According to CNN, however, a self-described email prankster managed to fool multiple employees of the U.S. government by posing as high-profile individuals. While no state secrets were spilled or networks breached, the prank shows just how easily legitimate-looking emails can slip past staff.
So how can companies sidestep the spear? Start by warning staff never to open attachments they’re not 100 percent sure about, then follow up by enforcing strict patch management for Microsoft Office and turning off auto-run for .doc macros.
It’s also a good idea to ensure that users possess only the network privileges they need for day-to-day tasks. Organization should also blacklist specific command interpreters or rarely used applications. Trend Micro noted that this “could affect legitimate system functions,” but slightly compromised performance always outweighs persistent backdoors.
Malicious emails are spearing Russian enterprises. Stay safe by recognizing the telltale tip of the phishing spear, training employees to err on the side of caution, and taking steps to limit application and network permissions.