Full Report
Key Takeaways Private Threat Briefs: 20+ private DFIR reports annually. Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege … Read More
Analysis Summary
# Incident Report: Near Two-Month Intrusion via Malicious Document Delivery
## Executive Summary
A sophisticated intrusion campaign, attributed to the threat actor group Lunar Spider, commenced via a single user click on a malicious JavaScript file disguised as a tax form. This initial compromise rapidly led to the deployment of multiple malware families, including Brute Ratel, Latrodectus, and Cobalt Strike, over a nearly two-month persistence period. The attackers successfully harvested credentials from various sources and exfiltrated data, indicating a significant compromise of sensitive information and network operations.
## Incident Details
- Discovery Date: Not explicitly stated (DFIR report published Feb 2025, case featured in Sept 2025 Challenge). The intrusion persisted for nearly two months.
- Incident Date: Unknown start date prior to February 2025 (when threat brief was originally issued).
- Affected Organization: Not disclosed.
- Sector: Unknown.
- Geography: Unknown.
## Timeline of Events
### Initial Access
- Date/Time: Initial click time unknown, occurred prior to late February 2025.
- Vector: Phishing/Malware delivery via a JavaScript file disguised as a tax form.
- Details: The user clicked the JavaScript file, which initiated the download and execution of Brute Ratel C4 via a malicious MSI installer.
### Execution & Persistence
- **Execution:** Brute Ratel C4 was executed, followed by the deployment of additional malware including Latrodectus, Cobalt Strike, BackConnect, and a custom .NET backdoor.
- **Persistence:** The threat actor maintained command and control (C2) and presence for almost two months, using intermittent connections for further operations. Persistence mechanisms involved Registry Run Keys/Startup Folder modifications and Scheduled Tasks.
### Lateral Movement
- **Lateral Movement:** Attackers utilized WMI (Windows Management Instrumentation) and Remote Desktop Protocol (RDP) for initial discovery and movement across the network.
### Data Exfiltration/Impact
- **Data Exfiltration:** Approximately twenty days into the intrusion, data was exfiltrated from the environment using Rclone and FTP.
- **Credential Harvesting:** Attackers harvested credentials from LSASS memory, backup software, browsers, and a Windows Answer file used for automated provisioning.
### Detection & Response
- **Detection:** The article implies detection occurred sometime around February 2025, leading to the creation of a Threat Brief for customers. The full scope was later featured in a September 2025 DFIR Challenge.
- **Response Actions:** Containment, eradication, and recovery steps are detailed in the Response Actions section below, based on the identified attacker TTPs.
## Attack Methodology
- **Initial Access:** Drive-by Compromise (T1189) via a malicious JavaScript file delivered via an apparent social engineering lure (tax form). Execution involved an MSI installer to deploy Brute Ratel C4 (T1204.002).
- **Persistence:** Registry Run Keys/Startup Folder (T1547.001) and Scheduled Task creation (T1053.005).
- **Privilege Escalation:** Bypass User Account Control (T1548.002) was utilized.
- **Defense Evasion:** Masquerading (T1036) and the use of Junk Code Insertion (T1027.016) suggest efforts to avoid security tooling.
- **Credential Access:** LSASS Memory dumping (T1003.001), stealing Credentials from Web Browsers (T1555.003), and accessing Credentials In Files (T1552.001), specifically from backup software and Windows Answer files.
- **Discovery:** Attacker performed Network Service Discovery (T1046), Remote System Discovery (T1018), System Information Discovery (T1082), File and Directory Discovery (T1083), and Domain/Account Discovery (T1078.002, T1087.002).
- **Lateral Movement:** Remote Desktop Protocol (T1021.001) and likely SMB/Windows Admin Shares (T1021.002) were used, alongside advanced techniques like Access Token Manipulation (T1134).
- **Collection:** Data was compressed/archived using utility-based methods (T1560.001).
- **Exfiltration:** Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003) using Rclone and FTP.
- **Impact:** File Deletion (T1070.004) was observed.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive organizational data was exfiltrated over a period of time using Rclone and FTP, sourced from harvested credentials and potentially configuration files (Windows Answer File).
- **Operational:** The near two-month duration suggests sustained disruption to standard operations due to active attacker presence, discovery, and C2 callbacks.
- **Reputational:** Not disclosed, but a multi-stage, long-duration intrusion carries significant reputational risk.
## Indicators of Compromise
- **Network Indicators (Defanged):** C2 communications utilizing Cobalt Strike and Brute Ratel frameworks. Exfiltration occurred over FTP and Rclone protocols.
- **File Indicators:** Brute Ratel C4, Latrodectus, Cobalt Strike, BackConnect, and a custom .NET backdoor executables/payloads.
- **Behavioral Indicators:** Execution via MSI installer following user interaction with a JS file; LSASS memory access; persistence achieved via WMI/Registry/Scheduled Tasks; use of Rclone for egress.
## Response Actions
- **Containment:** Implied action involved blocking C2 pathways, isolating affected hosts where malware was identified (Brute Ratel, Latrodectus, Cobalt Strike).
- **Eradication:** Removal of all identified malware components (Brute Ratel, Latrodectus, Cobalt Strike, custom backdoor). Invalidation and forced reset of all harvested credentials, especially domain and service accounts.
- **Recovery:** Rebuilding systems where significant compromise occurred (especially systems running automated provisioning via Answer files). Patching initial access vectors.
## Lessons Learned
- **Effective Social Engineering:** A simple lure (tax form) combined with multi-stage execution (JS to MSI to Brute Ratel) successfully bypassed initial defenses.
- **Tool Diversity:** The sustained intrusion relied on a diverse toolset (Brute Ratel, Latrodectus, Cobalt Strike, custom backdoor), complicating complete eradication.
- **Credential Hygiene:** Harvesting credentials from LSASS, backup software, and configuration files (Windows Answer File) confirms weak internal credential protection practices.
- **Detection Gaps:** The nearly two-month duration indicates that threat activity (C2, discovery, movement) was not effectively detected in real-time until a comprehensive DFIR analysis was performed (or the activity became overtly loud).
## Recommendations
- Implement robust endpoint detection and response (EDR) capable of detecting MSI execution post-script download and monitoring for reflective loading associated with malware like Brute Ratel.
- Review and harden password storage practices; investigate credential protection mechanisms for LSASS and ensure backup software endpoints are not exposing credentials.
- Implement proactive credential rotation policies, especially for accounts that might have been provisioned using Windows Answer Files.
- Enforce strict PowerShell/WMI logging and monitoring to detect T1059.001 and T1047 usage indicative of lateral movement.
- Implement network segmentation to limit the scope of lateral movement initiated via RDP or SMB/WMI after initial compromise.