May 13, 2019

Incident Report: A Combined Attack.

Perception Point Incident Response

Combining Attack Vectors.

Perception Point intercepted an email thread that combined all currently popular attack vectors; impersonation, encrypted archive and a malicious macro. 

Impersonation

The sender requested something irrelevant of the company’s support team in order to seem like a real prospect seeking help

The link in the email doesn’t work which raises suspicion.

Encrypted File

After the employee ended the conversation with the attacker. The attacker sent a suspicious zip file without any explanation regarding the file, plus he locked the file and added the password in the email causing it to be harder for detection engines to identify

The zip contains a word document named “info05.07.doc”, using our password extraction mechanism, we managed to open the file and scan it.

Malicious Macro

The doc file is malicious which contains malicious macro code that executes malicious commands without the users knowledge

If the user enables the content or even if the configuration of the user enables the file to be opened with automatic activation (common situation) the file start running multiple malicious commands starting with running CMD and PowerShell

After the file executes his malicious activities the file is closed and tries to hide is activities by closing all the processes and actions he took.

Want to know more?

Contact Us.



Link has been copied to your clipboard!