On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique—tracking pixels—and how it can inform more restrictive and evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show with Matt Bromiley (@_bromiley) coming in to discuss a critical vulnerability we've been responding to most in 2020 and what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email tracking pixels. We break down how these legitimate marketing tools are leveraged by attackers looking to learn more about their planned victim's behavior and system—prior to sending any first stage malware. We break down the different variations on these trackers for both benign and malicious uses. For examples of each style of tracking pixel, see Glyer's recent tweet thread. We talk through additional red team operators' responses to how they use this technique in their campaigns today—discussion sparked from this great offensive security discussion on twitter. This trend of professional target profiling—drawing both inspiration and specific tracking tools from the marketing industry—is highly effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes the same end goal as email pixels and how it can share information about the current version of Microsoft Office on the potential victim's system. Similar to execution guardrails, this Office version information for Microsoft Word or Excel could be used to deliver malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office versions. We discuss VBA macro stomping and file format intricacies that require attackers to understand the version of office a target may be using in order to create evasive spear phishing lures that may bypass both static and dynamic detections. Rick Cole joins us to talk through an active attacker using macro stomping for evasion, both p-code compiling and PROJECT stream manipulation. Rick walks through a brief overview of the technique and a particular financial threat actor who loves macro stomping as much as they love Onyx. Rick co-authored a blog post on the topic and has an excellent tweet thread with related research.
Finally, we're joined by a surprise second guest! Matt Bromiley drops in to discuss FireEye's efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, that went public on January 10, 2020. Matt helps us break down some of the activity we've seen since then, including distinct uncategorized clusters of activity for NOTROBIN, coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in FireEye Managed Defense, Matt's been working with the team to release several blog posts, defender tips, and tools on the vulnerability:
- Matt and Nick published an initial blog post on the topic detailing exploit timelines, evasive attackers, and resilient approaches to detection.
- Our colleagues Willi Ballenthin and Josh Madeley followed-up by unveiling NOTROBIN and shedding light on exploit “squatter's rights” in the blog post with the title adored by Reddit's netsec sub.
- Matt and Glyer wrote about that time an exploit was actually bundled with ransomware and ETERNALBLUE—in 2020!
- All of us worked with Mandiant consultants and Citrix to release the CVE-2019-19781 compromise host-based scanner and a detailed blog post on how it was built and how it works.
We're hoping for defenders' sake that the pace of intrusion activity slows for the rest of 2020, but we've got you covered and will keep you up-to-date no matter which way this goes!
State of the Hack® is FireEye's monthly broadcast series, hosted by Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, cyber espionage, attack trends, and tales from the front lines of responding to targeted intrusions. If you want to experience the magic, you can watch all State of the Hack episodes now. All shows are also available as audio-only podcast episodes.