Researchers at Securonix released an analysis on a sophisticated, targeted attack against military contractors they have named STEEP#MAVERICK. The attack chain for this attack began as a phishing email containing a zip archive, which contained a .lnk file disguised as a pdf that contained the Command and Control (C2) stager. The stager was an eight-step preparation process containing multiple types of PowerShell obfuscation which pulls an apparent .png that decrypts into the final payload.
Analyst Notes
The primary source of the sophistication of the attack are the many levels of obfuscation and preparation that occur to facilitate the attack. However, each step in the process provides an opportunity for detection. For example, many email security products allow for inspection of zip archives in attachments and can quarantine emails based on the contents. With PowerShell script block logging, several of the obfuscation techniques can be detected as well, such as the presence of “fromBase64String” or “[char]” (case insensitive). These features are less common in legitimate scripts; however, as always, it is necessary test any detections to determine normal activity in production environments.
Organizations looking to elevate their SIEM can automate domain analysis on domain queries. In the case of the STEEP#MAVERICK campaign, all domains used to host the payload had been registered within a month of the attack: creating alerts for requests for newly registered domains can provide valuable detection opportunities. Organizations can leverage a number of tools, such as Mark Baggett’s domain_stats, to accomplish this.
Source:
