Initial access tradecraft
Adversaries reevaluated their initial access methodologies in 2022 and leveraged old tradecraft in new ways at prodigious scale.Pairs With This Song
Cybercriminals or hipsters? Adversaries resurfaced some vintage initial access tradecraft in 2022, including exploiting unusual file types such as LNK and MSI.
In 2022 we saw major malware campaigns leverage vintage tradecraft in new ways, experimenting with delivery vehicles and file types in an attempt to evade detection. Weaponized Microsoft documents and malicious macros waned in favor of evil binaries hidden within nested layers of container files and compressed archives. Adversaries manipulated search engine ads and results to lure users into downloading malicious installers. USBs, a well-known threat vector for decades, saw a resurgence in use by new malware families and established adversaries.
Phishing trend: Macros are out, compressed files and containers are in
Macros traded in for newer delivery vehicles
In February 2022, Microsoft announced that they would start blocking VBA macros by default across their entire product suite. Key to implementing this change is the Zone Identifier Alternate Data Stream (ADS) value assigned to downloaded files and attachments, with the specific value based on whether or not the file came from a trusted location. The internet is not considered a trusted source, meaning files with the
Zone.Identifier ADS value of
3—commonly known as the Mark-of-the-Web (MOTW)—can be subject to more stringent security measures.
Not all file types are automatically assigned the MOTW. It depends on several factors, including the software used to download the file, the file format, and other utilities with features that may or may not be enabled. Compressed archives (ZIP, RAR) and container files (ISO, VHD) are types of files that may not have the MOTW, meaning they won’t be restricted, blocked, or generate warning prompts in the same way as files that do contain the mark.
Following Microsoft’s announcement, adversaries across all verticals changed their techniques. They rapidly shifted away from malicious macros in their phishing emails and began leveraging container files and compressed files to deliver their malware, often nesting these file types within each other in an attempt to further bypass security controls. In June 2022, 7-Zip released an update that added an opt-in feature that could add the MOTW to ZIP files. In November 2022, Microsoft released a security update that propagated MOTW identifiers to some ZIP and ISO files. These updates may reduce the misuse of ZIP and ISO files in 2023.
Throughout the year, we observed compressed archives, especially RAR or ZIP files, used as a malicious nested attachment’s outer layer. They do not have a Zone Identifier ADS attribute, so they can not have a MOTW. Again, 7-Zip’s June update may complicate an adversary’s ability to abuse ZIP files but only if users opt in. Multiple threats used compressed archives in their attachments in 2022, including Bumblebee, IcedID, and Qbot.
Optical Disk Image (ISO) files and Virtual Hard Drive (VHD) files are two types of container files we’ve seen delivered inside compressed archives in an attempt to evade MOTW restrictions. Container files like ISOs do not support a Zone Identifier ADS attribute and did not have a MOTW until Microsoft’s November 2022 patch propagated MOTW flags to both the ISO and its contents. Proofpoint reported a 150 percent increase in the use of ISO files in malicious campaigns between October 2021 and June 2022. IcedID is one example of a threat that used ISOs, and Bumblebee leveraged both ISOs and VHDs in 2022.
Web trends: SEO poisoning and malvertising
Search engine optimization poisoning
Search engine optimization (SEO) poisoning continued to be an effective technique for gaining initial access in 2022. Many threats leveraged SEO poisoning, including Gootloader, Yellow Cockatoo, and various stealers. Adversaries create malicious websites that use SEO techniques like placing strategic search keywords in the body or title of a webpage. They attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. As an example, Zloader—also known as BATLOADER—has used keywords like “free software development tools” to encourage victims to navigate to their site and download evil installers. Another example, Gootloader, has used websites claiming to offer information on contracts and other legal or financial documents. This trend shows no signs of slowing as we move into 2023; in late 2022, one SEO poisoning campaign targeted almost 15,000 websites.
SEO poisoning is not the only way adversaries use search engines to their advantage. Malicious advertising, also called malvertising, also persisted in 2022. Malvertising is the use of fake ads on search engine pages that masquerade as legitimate websites to download software like Zoom or TeamViewer. Threats that used malvertising extensively in 2022 include AdSearch, IcedID, and stealer malware.
File type trends: LNK and MSI
Windows shortcut files, also known as LNK files, have also seen increased adversarial use in 2022. Proofpoint reported a 1,675 percent increase in LNK files in malicious campaigns between October 2021 and June 2022. LNK files are neither compressed archives nor container files. Instead, LNK files provide adversaries a way to execute binaries, scripts, and other arguments. Based on the specific arguments configured when a LNK file is created, it can point to and execute files or include scripts configured to download additional malware. Some prominent threats that leveraged LNK files in 2022 include Emotet, Bumblebee, and other families of non-phishing malware like Raspberry Robin.
Windows Installer (MSI) files
When the stealer Zloader combined malvertising and SEO poisoning in 2022, its installer took the form of Windows Installer (MSI) files. MSI files are used to install and update legitimate software on Windows systems. They are also used by adversaries to install malicious binaries, run scripts, and elevate system privileges. Zloader’s malicious MSI files appeared to be installers for versions of legitimate software. Other threats have used MSI files in their intrusions in 2022, including Qbot and Raspberry Robin.
What’s old is new again: USBs
Continuing the theme of everything old being new again, a number of threats leveraged infected USB external drives for initial access in 2022. USBs containing malicious payloads that infect systems when plugged in have been an evergreen problem in information security for a number of reasons. As with any external device, security teams have less control and visibility into what they may have installed on them. One notable threat spread by USBs this year is Raspberry Robin. Many types of USB malware, such as worms, establish persistence that can continue for years. In 2022, Gamarue exemplified how pre-existing infections can be exploited by threat actors. FIN7 and other espionage groups also leveraged USBs in 2022.
Preventing container files from executing can be an effective way to avert damaging intrusions that attempt to evade MOTW controls. If your users do not have a business need to mount container files, we recommend taking steps to prevent Windows from auto-mounting container files. You can find additional mitigation guidance in the Techniques section of this report.
One way to mitigate the effects of SEO poisoning is to prevent the malicious files from being able to execute. For example, Gootloader uses JScript (
.js) files. If your users do not have a need to execute
.js files, associating
.js files to open with
notepad.exe instead of
wscript.exe can prevent automatic execution of their malicious content.
There are several options to mitigate the threat USB devices can pose in your environment. The best option for your organization will vary based on your use cases and business needs. One option could be to use group policies to restrict who can read, write, and execute actions from USB devices. Other options for mitigating USB risks can be found on the Gamarue page.
Detect suspicious ISOs named using common phishing themes
It is common for phishing attacks to have a theme, especially financial or business themes using words like “invoice” or “contract.” There is no reason that a contract or invoice should be formatted as an ISO. This detection analytic helps identify an ISO saved to a suspicious location that includes words common to current phishing campaigns.
filemod_includes (.iso) && file_path_includes ('Users' || 'Downloads' || 'AppData') && filename_includes ('contract' || 'invoice' || 'document')
Identify malicious Windows Script Host commands attempting to load ZIP and JS files
Malicious scripts and malware are often compressed using ZIP files in order to evade security controls. Adversaries frequently use
wscript.exe to execute the initial commands in this infection chain and to download other malware, run other malicious code, or create persistence via a registry key.
process == (wscript) && command_includes ('users' || 'temp') && comand_includes ('.zip' || '.js') && has_external_netconn
cmd.exe executing a Windows shortcut (LNK) file
The following pseudo-detector looks for the execution of
cmd.exe along with a command line containing
.lnk and suspicious child processes. Adversaries have leveraged this behavior in malware and post-exploitation frameworks. Child processes should be investigated for malicious activity.
process == (cmd.exe) && command_includes (.lnk) && child_process == ('powershell' || 'cmd' || 'wmic' || 'mshta')
Atomic Red Team boasts many different ways of emulating initial access activity across many different ATT&CK techniques. The following techniques are a good starting point for most security teams seeking to validate their detective controls: