TTP Tuesday: APT38 Pharmaceuticals
Contents
TTP Tuesday: APT38 Pharmaceuticals
Subverting Mark-of-the-Web trust controls
Theme Overview
In our previous APT38 release, we looked at CryptoSpy initial access via supply chain compromise. This week we're looking at APT38 spear phishing that used trust control subversion techniques against pharmaceutical companies in 2020. In particular, this chain creates an ISO file to subvert Mark of the Web trust controls. When the ISO payload is executed, a queued technique is sent to it using the same method as last week's chain.
Mark-of-the-Web (MOTW)
Mark of the Web (MOTW) is a security feature in Microsoft Windows that uses a file's alternate data stream (ADS) to store the file's ZoneId, information about where the file originates. When downloading a file, browsers (and many other applications) append the ADS ZoneId to the file to indicate the origin.
The ZoneId indicates one of the following trust zones:
- Local Machine Zone
- Local Intranet Zone
- Trusted Sites Zone
- Internet Zone
- Restricted Sites …
Subverting Mark-of-the-Web trust controls
Theme Overview
In our previous APT38 release, we looked at CryptoSpy initial access via supply chain compromise. This week we're looking at APT38 spear phishing that used trust control subversion techniques against pharmaceutical companies in 2020. In particular, this chain creates an ISO file to subvert Mark of the Web trust controls. When the ISO payload is executed, a queued technique is sent to it using the same method as last week's chain.
Mark-of-the-Web (MOTW)
Mark of the Web (MOTW) is a security feature in Microsoft Windows that uses a file's alternate data stream (ADS) to store the file's ZoneId, information about where the file originates. When downloading a file, browsers (and many other applications) append the ADS ZoneId to the file to indicate the origin.
The ZoneId indicates one of the following trust zones:
- Local Machine Zone
- Local Intranet Zone
- Trusted Sites Zone
- Internet Zone
- Restricted Sites …