Securonix researchers give an account of Steep#Maverick, an unusually carefully crafted, evasive, and persistent cyberespionage effort.
Steep#Maverick cyberespionage campaign.
Securonix describes an effective and carefully crafted cyberespionage campaign.
Researchers at Securonix Threat Labs have issued a report on a cyberespionage campaign they're calling Steep#Maverick. They call it a "covert attack campaign," and they conclude that its targets have been "multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft." The PowerShell stager the threat actor used isn't particularly novel, but "the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code."
Dark Reading offers some context. "The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group."
As has become commonplace with cyberespionage campaigns, Steep#Maverick begins with a phishing email, the hook buried in an attached [dot]lnk file with an anodyne phishbait name like "Company & benefits." When the victim executes that file, "a rather large and robust chain of stagers will execute. Each stager is written in PowerShell and each is very heavily obfuscated. In total we observed eight layers to the stage which carry a wide range of techniques." The seventh layer is where the interesting, and effective, anti-analysis and counter-forensic tools make their appearance. Most comparably equipped malware, when it detects sandboxing or other such defensive tools, simply exits, but Steep#Maverick is much more assertive, "hostile," as Securonix puts it. "When the check fails, rather than quitting, it will disable the systems network adapters, use netsh to configure the Windows Firewall to block all inbound and outbound traffic, and then uses an obfuscated PowerShell command '(&gal [?r0]*m)' in place of the 'Remove-Item' commandlet, to delete everything in the user’s profile directory, G:\, F:\, and E:\ drives recursively. Then the computer will shut down via the commandlet 'Stop-Computer'."
Once installed the malware is unusually persistent. There's no attribution, but one circumstantial detail is suggestive. "If the system’s language is set to “*zh*” (Chinese) or to “*ru*” (Russian), then the code will simply exit and the computer will shut down," Securonix says in its report.
Obfuscation and evasion.
Chris Clements, VP of solutions architecture at Cerberus Sentinel, commented on the attention the threat actor paid to obfuscation and evasion of endpoint protections. “The great lengths the threat actor has gone to in obfuscating their attack to bypass typical endpoint security controls as well as reviewing the computing environment they are operating under for indications it may be a defender or researcher analyzing their tools and actions lends credence to speculation that the attacker is highly sophisticated and could be associated with nation-state intelligence organizations," he wrote. "The anti-analysis verification actions themselves are rather extreme by disabling network access and deleting user profile directories. Normally you see malware simply silently disarm itself, taking such destructive steps could be a paranoid attempt to conceal the tooling."
A security culture can be developed through practice and drill.
Fending off this sort of attack, and mitigating the effects of such an attack should it succeed, requires a cultural approach, Clements argued. "To defend against high level cyberattacks, organizations must adopt a culture of cybersecurity with multiple layers of protection. It’s crucial to focus on targeting how attackers operate rather than any one type of malware tools or evasion techniques are currently in use. There will always be a means of bypassing or disabling one or more layers of protection, but threat actor behaviors are largely similar." And it's the sort of culture that can be fostered by appropriate, well-designed training. "Awareness education on current attack trends to identify phishing and other social engineering techniques make personnel more resilient. Endpoint security controls can help detect and block malware that makes it past a user. Attack surface minimization and segmentation can limit what an attacker can access if they manage to bypass the endpoint security controls. Continuous monitoring can help identify common attacker behaviors as they attempt to escalate privileges and spread through networks. Regular cybersecurity validation exercises like tabletops and penetration tests can help identify gaps or mistakes that could open the door for threat actors to move from initial footholds to complete compromise."
A tactical approach to defending against Steep#Maverick.
And there are tactics organizations can use against the sort of approach seen in Steep#Maverick. "That said, tactically there are a few things that are likely to disrupt similar cyberattack campaigns. While the initial phishing email’s attachment was a ZIP archive, it decompresses to a .LNK file. LNK files and .ISO files have been widely used by threat actors recently so a prudent step can be to block those attachment types from emails altogether. There are vanishingly few good reasons for those file types to be sent over email. It wouldn’t have prevented the phishing email with the ZIP archive in this case, but it could filter out other similar attacks that attempt to attach the LNK and ISO file types directly. In addition, the added monitoring capabilities of tools such as Microsoft’s free Sysmon can deter threat actors from continuing their attack for fear of discovery, a statement that’s likely true even if the logging produced by those tools isn’t actually centralized or reviewed (it really should be though)."
Paul Bischoff, privacy advocate at Comparitech, wrote to point out the heightened threat state actors represent, in contrast to the more routine and opportunistic criminal actors. “State-sponsored malware is often more sophisticated and targeted than the malware used in other cybercrime, which tends to target low-hanging fruit," he said. "State-sponsored attackers are more concerned about maintaining access to a compromised system over a long period of time and hiding their tracks. Defense contractors are an obvious target for state-sponsored cyberattacks, especially during wartime, so it's concerning that Black Kite found so many of them to be vulnerable to attack." But even sophisticated actors can be frustrated by sound practice. "Even though STEEP#MAVERICK is quite sophisticated once it has infiltrated a system, the initial attack vector is still old-fashioned phishing. It can be avoided by never clicking on links or attachments in unsolicited emails, and always verifying the sender before responding. Never send passwords or other private information over email.”