Phishing Emails Masquerading as Money Transfer Confirmations
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are sending phishing emails disguised as payment confirmation messages to deliver malicious XLS attachments. These files abuse CVE-2017-0199 to retrieve an HTA file, which then launches an obfuscated PowerShell script through WMI. In the final stage, Remcos RAT is downloaded and executed through steganographic techniques to enable remote access and data theft.
Investigation
AhnLab Security Intelligence Center (ASEC) identified a campaign that impersonated employees of Korean companies. The investigation followed the full infection chain, starting with the XLS lure, moving through HTA execution and WMI-driven PowerShell obfuscation, and ending with deployment of Remcos RAT through payloads hidden with steganography.
Mitigation
Users should carefully verify sender domains and inspect links and attachments before opening them. Organizations should apply patches for known issues such as CVE-2017-0199 and monitor for suspicious file extensions or unauthorized WMI-based process creation. Security controls should also be configured to block unauthorized HTA or PowerShell execution launched from Office applications.
Response
If this activity is detected, isolate the affected host immediately to stop further command-and-control communication from Remcos RAT. Conduct forensic analysis to determine the scope of any data theft and review email logs to identify additional potential victims. Credentials should also be reset for any users involved in the original phishing interaction.
Attack Flow
Detections
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Suspicious Powershell Strings (via powershell)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious File Download Direct IP (via proxy)
View
Possible Cloudflare Development Domain Abuse (via dns)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
Execution of Obfuscated PowerShell Script [Windows Powershell]
View
Execution of Obfuscated PowerShell via Win32_Process.Create() Using WMI [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to execute an obfuscated PowerShell command to download a payload, using WMI to hide the execution lineage. Instead of running
powershell.exedirectly from a shell, the attacker uses a WMI provider to call theWin32_Process.Create()method. This causes theWmiPrvSE.exeprocess to act as the parent, making the execution appear as a legitimate system management task. The command string is specifically crafted to include the targeted method name to ensure we test the rule’s ability to see the WMI method call in the telemetry. -
Regression Test Script:
# Simulation script to trigger the WMI-based process creation detection # This uses PowerShell to call the WMI method that the rule is looking for. $command = "powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command 'Write-Output AttackSuccess'" $wmi = [wmiclass]"Win32_Process" Write-Host "[*] Attempting to trigger detection via Win32_Process.Create()..." # Calling the method directly via WMI $result = $wmi.Create($command, $null, $null) if ($result.ReturnValue -eq 0) { Write-Host "[+] Success: Process created. Check SIEM for Event ID 10 containing 'Win32_Process.Create()'." -ForegroundColor Green } else { Write-Host "[-] Failure: WMI method call failed. Return Value: $($result.ReturnValue)" -ForegroundColor Red } -
Cleanup Commands:
# Cleanup: Terminate any suspicious PowerShell processes spawned during the test Get-Process powershell | Where-Object { $_.CommandLine -like "*AttackSuccess*" } | Stop-Process -Force Write-Host "[*] Cleanup complete."