Let's take an overview of the Attack Stages
A phishing email to the victim
An attacker has been doing reconnaissance of a user over social media and publically available information using Open Source Intelligence (OSINT) tools. The attacker has realized the user has been posting free coupons. The attacker has set up a command and control (C2) website with a deceiving name "freecoupon.tk" to manipulate this user.
Note: The website freecoupon.tk is set up for demonstration purposes.
The user has received a macro-enabled Microsoft Word document in an email. Once the document is opened and enabled content, Google Chrome is opened with a website freecoupon.tk and a notepad automatically. An attacker could print anything on this notepad.
What's visible to the victim
Victim only sees a Google Chrome and notepad opened up on their screens, which are benign to think any malicious activity.
Furthermore, from the endpoint only HTTPS protocol is used during this attack, which again is not suspicious or even considered to be blocked.
What is actually happening on the endpoint
Attacker has crafted this attack to make it look benign to start and evade all traditional network and endpoint security products.
So this is what visible to victim:
- Email with an attachment (Word document)
- Email came from a legit domain and the Word document doesn't look suspicious
- After opening the Word document (+enable content)
- Google Chrome opens with a website which looks like have some coupons etc.
- A notepad which has some text
- All network connections were made over legitimate protocols such as (HTTPS or SMB etc.)
None of these actions would have triggered a user to be suspicious.
What else happened at the victim's endpoint:
- A ping to attacker's staging server
- Download of a reverse shell from attacker's staging server
- Execution of reverse shell on victim's endpoint
- Reverse shell established over
port 443to attacker's command and control (C2) server, from this moment attacker can access and even manipulate victim's endpoint for lateral movement
- Executed local endpoint reconnaissance commands such as (systeminfo, arp, hostname etc.) and saved it locally on the endpoint
- Transfer that locally saved file to attacker's server to gain insight of this endpoint, this could have been any other files such as all word or Excel files from the endpoint to attacker's server as well
- Downloaded darkside ransomware from attackers' staging server
- Executed the ransomware
- Cleared all the logs
All of this telemetry data is captured by Carbon Black EDR and you will review it in the next section.