The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
"spear phishing represents a serious threat for every industry"
How does this serious threat effect your organization? We’ve built a detailed analysis of how one adversary takes a very personal approach to the classic supply chain attack. It analyzes the attack end to end, using the Cyber Kill Chain® analysis framework, including review of how a targeted email was delivered and weaponized.
Note: All names are fictional, and any resemblance to real people or companies is unintentional.
Reconnaissance – Profiling a Target
A nation-state adversary has been tasked with collecting intelligence relating to Project X developed by the Acme Corporation. Determining the target is simplified by social media platforms that encourage detailed profiles to assist in networking. Searching through public profiles helps the adversary identify a potential target – Elliott Schwartz, Project Manager for Acme’s critical Project X.
Further reconnaissance leads the adversary to discover that Elliott is working with a local real estate agent to buy a house. The information retrieved is simple to gather due to the specific details Elliott shares openly on social media. The adversary identifies that the real estate agent is a trusted third party and can be used as material to craft a convincing phishing email.
Delivery – Exploiting a Trusted Channel
The adversary compromises the real estate agent’s email account and identifies that she would often send market report documents to Elliott. The adversary reuses an old email and updates it with a new weaponized attachment.
Weaponization – Evading Detections
The adversary took an existing “Market Action Report” document previously created by the real estate agent and weaponized it with a malicious Visual Basic for Applications (VBA) macro.
The macro contained interesting code that reconstructed an obfuscated executable payload using the following steps:
- The executable’s header was constructed in a byte array.
Obfuscating the payload header helped to evade certain static analysis signatures.
- The main contents of the payload were stored at the end of the document.
To allow for reusability of the VBA macro, the payload size was retrieved as it was stored as the first four bytes at the end of the document.
- The remainder of the payload was then retrieved and stored into a new byte array.
- The executable header and payload were written to a file.
- The first-stage payload was executed, which downloaded a second-stage payload from a compromised domain acting as a command and control (C2) server.
What We Learn from Analyzing Spear Phishing Attack Patterns and Techniques
- High-value targets justify higher effort.
- Trusted channels are used as attack vectors because they can enable adversaries to bypass both technical defenses (Intrusion Detection System [IDS]/Intrusion Prevention System [IPS]/email filtering), as well as non-technical, cognitive defenses (user situational awareness).
- Creative use of old technology
- Malicious macros have been around since the late 90s, and adversaries are still coming up with new techniques to bypass defenses.
- Use of compromised assets
- Compromised, legitimate assets were used from delivery to C2.
Guide to Defending against Targeted Spear Phishing Attacks
Apply kill chain analysis to attacks – identify root security issues, and map to security controls.
The below chart is an example of kill chain analysis for this spear phishing attack:
No organization is immune – performing such analysis helps defenders recognize gaps and plan investments accordingly. Every organization should have a well-defined and implemented analysis framework to enable their defenders to counter spear phishing and other campaigns effectively.
Watch the on-demand webcast for the full spear phishing attack end-to-end analysis.