Thanks!
Your application is accepted.
We will contact you shortly to clarify the details.
Trellix Case Study:The Case of One Compromise Attempt
Ukrainian companies daily face new challenges from enemies. They are resisting attacks on the frontline and in cyberspace. While digital attacks may not be visible, they still cause harm and benefit enemy.
If we evaluate previous attacks that we have seen, it becomes clear that reconnaissance is carried out first by infiltrating the organization. Hackers are like robbers: they don't open the first door they see; first, they look closely at potential victims and assess their chances of success.
Although companies cannot fully and permanently protect themselves from incidents, they can significantly reduce risks by using the right solutions.
For example, one of Trellix's largest customers in Ukraine recently faced an attack, but thanks to prompt action, it was detected and neutralized. The BAKOTECH team managed to look into this incident, and we would like to share our findings and conclusions with you.
Disclaimer: BAKOTECH operates through a partner network and does not sell directly to customers.
What happened?
The Trellix Endpoint Detection and Response (EDR) solution detected two suspicious activities on the organization’s workstations. The only difference between them was the date and time when it all happened. These actions by the attacker are logical: he was implementing a strategy of reconnaissance and studying the potential victim. All attacks carried out in this way aim to gain remote access to the workstation and then escalate privileges by performing a “vertical move.”
When it comes to ensuring the right level of security, it is not enough to have a solution that can only react. You need to have a complete picture of how an incident could have occurred and what the consequences would be. The EDR system detected anomalous behavior that was caused by a compromised LNK file. This included using Living off the Land (LotL) binaries to execute obfuscated VBScript and to initiate a connection, as well as numerous DNS queries to the suspicious domain estaca[.]ru.
Trellix linked this activity to Gamaredon, a Russian group that attempts to terrorize Ukrainian digital systems daily. This assumption was made based on the tactics, techniques, and procedures used in this attack.
Why it's worth paying attention to this incident
The modern world of information security solutions does not stand still — and neither do hackers. They realize that now all systems can detect suspicious files based on existing signatures. So, hackers try to cover their tracks using the LotL attack approach. The tactic is simple: hide illegal actions under the guise of legitimate software. Therefore, using standard signatures is not enough: more attention should be paid to behavioral analysis.
In our case, the attackers used system binaries such as mshta.exe and obfuscated scripts delivered via malicious documents or shortcuts (LNK files). It is worth noting that this is a very efficient way to bypass traditional security measures.
If we imagine this process as a tree, we will see the following:
Trellix Report
The Trellix team has compiled a report based on (TTPs) that are related to ATT&CK.
Here's what it roughly looks like:
Tactics goal
ATT&CK technique (id technique)
Tactics goal
Tactics goal
ATT&CK technique (id technique)
ATT&CK technique (id technique)
Implementation
T1204.002 User Execution: Malicious File
T1059.005 Command and Scripting Interpreter: Visual Basic
Tactics goal
Implementation
ATT&CK technique (id technique)
T1204.002 User Execution: Malicious File
T1059.005 Command and Scripting Interpreter: Visual Basic
Non-detection
T1140 Deobfuscate/Decode Files or Information
T1027.010 Obfuscated Files or Information: Command Obfuscation
T1218.005 System Binary Proxy Execution: Mshta
Tactics goal
Non-detection
ATT&CK technique (id technique)
T1140 Deobfuscate/Decode Files or Information
T1027.010 Obfuscated Files or Information: Command Obfuscation
T1218.005 System Binary Proxy Execution: Mshta
Command and control
T1071.001 Application Layer Protocol: Web Protocols
T1219.002 Remote Access Tools: Remote Desktop Software
Tactics goal
Command and control
ATT&CK technique (id technique)
T1071.001 Application Layer Protocol: Web Protocols
T1219.002 Remote Access Tools: Remote Desktop Software
In case of a similar incident, the BAKOTECH team recommends performing the following actions: