Discover more from f33d by Prelude
TTP Tuesday: APT38 Pharmaceuticals
Subverting Mark-of-the-Web trust controls
In our previous APT38 release, we looked at CryptoSpy initial access via supply chain compromise. This week we're looking at APT38 spear phishing that used trust control subversion techniques against pharmaceutical companies in 2020. In particular, this chain creates an ISO file to subvert Mark of the Web trust controls. When the ISO payload is executed, a queued technique is sent to it using the same method as last week's chain.
Mark of the Web (MOTW) is a security feature in Microsoft Windows that uses a file's alternate data stream (ADS) to store the file's ZoneId, information about where the file originates. When downloading a file, browsers (and many other applications) append the ADS ZoneId to the file to indicate the origin.
The ZoneId indicates one of the following trust zones:
- Local Machine Zone
- Local Intranet Zone
- Trusted Sites Zone
- Internet Zone
- Restricted Sites Zone
Depending on properties of the ZoneId, such as when the file originates from the Internet zone, execution of the file may be blocked.
In 2016 Microsoft Office introduced macro blocking using MOTW. Unfortunately, this Office feature was not enabled by default.
Macros are dead (long live macros)
In February 2022, Microsoft took a huge step toward securing Office users by blocking Internet macros by default in Office. The basic premise is to block by default any file originating from an untrusted zone as identified by MOTW.
Unfortunately, there are some tricks to prevent MOTW from propagating to files under specific circumstances, and for this week's chain we're going to exploit that!
In 2020, Outflank demonstrated that the MOTW flag is not propagated in some container file formats such as ISO. While the container file itself will have MOTW when downloaded the files contained within do not. This technique is used in phishing and other social engineering attacks where a user is tricked into mounting the ISO and executing the contents. In the case of macros originating from the Internet, Office treats them as local files and executes them as expected.
We're using this tool to build our ISO image, that will contain a decoy PDF for an awesome (no, seriously - very cool) job offer and an application to view the PDF. This technique was observed in APT38 when targeting the pharmaceuticals industry in 2020. They used the same pretext, and even followed up with subsequent job postings to keep the pretext alive.
Using the PackMyPaylod TTPs as templates, you'll be able to build your own containers for MOTW evasion. We're looking forward to seeing what you come up with!
Check it out on the Prelude chains website.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg