August 8, 2017 By Douglas Bonderud 2 min read

Why phish when you can spear phish? According to Trend Micro, this appears to be the purpose behind a recent set of malicious emails aimed at Russian enterprises. Attackers used a combination of highly specific, socially persuasive emails to breach corporate security and then leverage existing Windows protocols to create persistent backdoors.

When successful, cybercriminals gained the ability to download and delete files, download new scripts, terminate current scripts and run shell commands. This begs the question: How can enterprises sidestep the spear and make sure employees don’t get phished?

Backdoor Break-Ins

As noted by the Trend Micro piece, malicious actors used a combination of existing exploits and legitimate Windows functions to create a reliable and sophisticated backdoor system. Researchers observed at least five runs of emails occurring from June 23 to July 27 this year. Each run sent multiple emails per target, using different emails for each run and for each target.

Infections began with emails that appeared to be from sales or billing departments with subject lines such as “rules for connecting to the gateway” or “payment of state duties.” The emails contained a legitimate-looking .doc attachment, which was actually a customized rich text format (RTF) file that leveraged known exploit CVE-2017-0199, part of Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

This exploit let threat actors download a fake Excel spreadsheet that’s actually treated like an HTML application embedded with malicious JavaScript. It then ran two PowerShell scripts, one decoy and one that grabbed a DLL file. This file then dropped another file in the %AppData% folder with a .txt extension, but it was actually a scriptlet file loaded with more JavaScript.

The new file used Regsvr32 to bypass restrictions on running scripts and evade whitelisting protocols. Finally, another XML file was downloaded to serve as the primary backdoor.

Sound convoluted? It is — and purposefully so. The combination of continued obfuscation and abuse of legitimate command structures makes it extremely difficult to detect this malware in progress or remove backdoor code once it’s embedded in the system.

Staying Safe From Malicious Emails

While late-chain functions of this backdoor campaign are hard to detect — let alone stop — most phishing and spear phishing attacks start the same way: malicious emails.

For many enterprises, it’s tempting to view email security as something so basic, so necessary and so frequently addressed that employees couldn’t possibly allow cybercriminals to gain system access. According to CNN, however, a self-described email prankster managed to fool multiple employees of the U.S. government by posing as high-profile individuals. While no state secrets were spilled or networks breached, the prank shows just how easily legitimate-looking emails can slip past staff.

So how can companies sidestep the spear? Start by warning staff never to open attachments they’re not 100 percent sure about, then follow up by enforcing strict patch management for Microsoft Office and turning off auto-run for .doc macros.

It’s also a good idea to ensure that users possess only the network privileges they need for day-to-day tasks. Organization should also blacklist specific command interpreters or rarely used applications. Trend Micro noted that this “could affect legitimate system functions,” but slightly compromised performance always outweighs persistent backdoors.

Malicious emails are spearing Russian enterprises. Stay safe by recognizing the telltale tip of the phishing spear, training employees to err on the side of caution, and taking steps to limit application and network permissions.

More from

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today