The following write-up covers the SOC146 - Phishing Mail Detected - Excel 4.0 Macros task on LetsDefend.
Alert
We receive an alter that a phishing attack has been detected, and that iit carries an Excel spreadsheet file that has a built-in macro function which once executed by the user makes a connection to the C2 server run by the attacker.
Detection
Parse Email
Going to the Mailbox and searching for the indicated message with subject “RE: Meeting Notes” we can find an email originating from the address trenton@tritowncomputers.com and sent to lars@letsdefend.io. The message body itself is your run-off-the-mill phishing we’ve all seen before, and the message carries a zip file.
General information gathered from the alert:
- SMTP Address: 24.213.228.54
- Source Address: trenton@tritowncomputers.com
- Destination Address: lars@letsdefend.io
- E-mail Subject: RE: Meeting Notes
- Device Action: Allowed
Are there attachments or URLs in the email?
Yes, there is a zip file named 11f44531fb088d31307d87b01e8eabff.zip which we will be dissecting in the next part. There are no URL addresses in the message itself.
Analysis
Analyze URL/Attachment
By using VirusTotal we can get a definitive answer that the spreadsheet file research-1646684671.xls in the zip file has indeed been flagged as malicious by 29 security vendors and 3 sandboxes. There are multiple different names for it, but they all share the fact that we’re dealing with a generic phishing trojan.
Diving further into the actual behavior of the file to dig up the C2 server details we can find two DNS resolutions tied to the file, but the main one detected by multiple vendors is the address https://nws.visionconsulting.ro:443/N1G1KCXA/dot.html.
Check If Mail Delivered to User?
In the original alert we can see that the Device Action was indicated as Allowed, telling us that the email was delivered to the user. We should remove the email from their inbox, as in the best case scenario this means that they don’t end up executing the payload of the malicious file in the first place.
Check If Someone Opened the Malicious File/URL
Looking up the domain in Log Management points us towards a host that has made a connection to the said address, telling us that we weren’t as lucky with prevention as we may have hoped for. Local IP 172.16.17.57 has bade a successful connection to the C2 server we found, meaning that the user has executed the file.
Containment
No matter, what’s done is done, so the next step is containing the host before proceeding with cleaning it. Looking up the IP 172.16.17.57 in Endpoint Security points us at the host called LarsPRD, and we can check the Browser History, Command History and Network Connections to cross reference with the details gathered before to make sure that this is indeed the infected host.
We should proceed with the containment and finish up the playbook.
Lessons Learned
Keeping the definitions for malicious files and addresses in our detection systems is imperative. While this is not a fool-proof way as new tactics and techniques are constantly being developed by the adversaries, it’s a great way to at least help reduce the possibility of infections within our networks.
We should also remember to educate our users to practice healthy email attachment habits with other basic cybersecurity practices in order to keep our equipment and personnel safe. This can be achieved by holding regular, mandatory cybersecurity training sessions and conducting cybersecurity tests to see how well our training efforts have paid off.
Artifacts
https://nws.visionconsulting.ro:443/N1G1KCXA/dot.html - C2 server address from VirusTotal found via analyzing the .xls file
172.16.17.57 - Infected host
Source Address - trenton@tritowncomputers.com Destination Address - lars@letsdefend.io