Catching lateral movement in internal emails

Blog 4 of 5 part series on advanced research into modern phishing attacks

Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabs

Catching lateral movement in internal emails

Email-based attacks are the most prominent threat vector that organizations see today. Like any other form of communication, emails get exploited to become carriers for a wide variety of attacks. Securing email nowadays means worrying about malicious attachments, links leading to malware, links leading to phishing sites, and business email compromise attacks.

Due to their nature, those attacks are commonly perceived as threats external to the organization. However, when the organization is already compromised, internal emails can become a tool used by the attacker to move laterally through the organization. In some cases, they are the stealthiest choice, as some organizations only perform security checks against incoming emails.

The following analysis is a reconstruction of an attack on a manufacturing company with ties to aerospace and defense industries.

Yosi and Idan both work for a compromised manufacturing company. Yosi, a mechanical engineer, is sending an email to Idan. He is notifying his colleague about changes to their helpdesk software. The email contains a short message about the documentation that he’s attached.

Screenshot of a Hebrew-language email in Mozilla Thunderbird, impersonating IT support to deliver a ‘SysAid’ update. It includes an attachment named ‘SysAid-Documentation.rar’ and claims to come from a sysaid team leader.

When run through an automated language translation service, the message reads something like this.

Email in Mozilla Thunderbird with the subject ‘SysAid update request’ containing a message about receiving an update from the SysAid administrator. The sender offers to send related data and attaches a file named ‘SysAid-Documentation.rar.’

Sounds quite convincing. Since Idan trusts his coworker Yosi, he feels comfortable opening the attachment. There’s no reason for Idan to suspect that Yosi isn’t the one sending him the email. The email is sent from Yosi’s email address; it has the same reply-to address. Even if Idan put in the extra effort to inspect the email headers, all he would see is that the email was routed through the internal mail server.

However, that attachment is not a RAR archive despite its file extension. In reality, it is an ACE archive - a format that WinRAR knows how to open. Within WinRAR, the ACE format support is provided by a freeware library made by the WinACE authors.

That library has recently been found to be affected by a path traversal vulnerability - an issue that allows an attacker to place a file in an arbitrary folder on the system. This vulnerability can be used to place an executable file in just the right place for it to launch the next time the machine powers up. That is exactly what the attachment is trying to do.

ReversingLabs A1000 visualizes the email headers and allows analysts to browse email contents. Email attachments - when they are an archive - are extracted and displayed in a view similar to one of an archive manager. The image below shows the contents of the ACE archive Yosi sent to Idan.

Analysis results for SysAid-Documentation.rar showing 11 files, mostly PDFs and text files mimicking documentation. A file named ‘Thumbs.db.lnk’ is flagged as Win32.Trojan.Wzerab, indicating a hidden malware payload disguised within a shortcut file.

The documentation that Yosi promised to Idan is certainly there. There’s lots of it, and it is used to cover the fact that Yosi is not who he claims to be. The first folder in the list of files is an indication that the attached ACE archive is exploiting the path traversal vulnerability - assigned CVE-2018-20250.

Following the folder path all the way down, it is easy to see where the following executable file is going to be extracted to.

Malware analysis showing a file named ‘ekrnview.exe’ classified as Win64.Trojan.Agent located in the Windows Startup folder for user ‘idans’. File type: PE executable, size 96.5 KB.

Not only is the executable installed to the startup location, but it is also clear that this attack is a highly personalized one. The path traversal only works because the absolute paths are hardcoded to point to the user-specific startup folder. That makes the attack viable only for the machine of the intended email recipient, Idan.

At this point, it is clear that the attacker has compromised the organization. That Yosi’s credentials are in the hands of the attacker. That the recon phase of the attack has been completed, and that the attacker is interested in moving laterally through the organization. It is more than likely that the next target, Idan, has access or information that the attacker is ultimately after.

The malicious executable the attacker expects to have successfully planted on Idan’s machine reveals more about the who and the why.

Threat analysis report for ‘ekrnview.exe’ flagged as Win64.Trojan.Agent. The PE+ executable has x64 architecture, retrieves host and IP information, modifies the registry, downloads files, and communicates via HTTP. It has a 96.5 KB file size and was seen as early as March 7, 2019. 22 out of 29 antivirus engines detect it as malicious.

While "Agent" is not a particularly interesting or indicative threat name produced by our system, it is a starting point. It means that the threat itself isn’t particularly unique, and that it shares at least some of the commonality with previously discovered trojans. This is where functional code similarity can help. There is exactly one more file in the ReversingLabs cloud system similar to the one we’re looking at.

Cloud analysis of a variant executable detected as Win64.Trojan.Risingsun. File hash ends in ‘563ec5’, with 65% detection rate (28/43 AV engines). The file was first seen in April 2019, and flagged by Bitdefender, ESET, Kaspersky, McAfee, and others. Behavior pattern shows increasing detection over time.

That file has been classified as RisingSun Trojan by McAfee. The report which McAfee’s Advanced Threat Research team published on the Operation Sharpshooter describes what we’ve seen so far perfectly - an advanced attacker targeting the defense sector.

The suspicion that the attacks are connected is further supported by URLs extracted from the relevant executable. They seem to follow the same pattern as described in McAfee’s report.

List of four suspicious HTTP endpoints likely used for data exfiltration or command-and-control

A look at the executable hex dump also reveals a few striking similarities between the attacks.

$Hexadecimal view of a malware binary showing embedded strings referencing SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion, indicating registry access, and POST request data including parameters such as verify_sessionname, key, page, and session_data—used for HTTP-based data exfiltration.$

The email Yosi sent to Idan may very well be an indication of new activity for this APT actor. While the infection techniques seem to have evolved since McAfee published their report in December 2018, the methods of operation remained similar. The list of targets the actor is interested in has apparently been expanded to a new region as well - Israel.

Scouring the web for additional information based on what’s been discovered at this point reveals one more report published by the FireEye Threat Research team. They go into the analysis of this same email, so it is recommended to read their report as a follow-up to our discussion here.

Email is an important threat-carrying vector. Securing an organization's email infrastructure mandates checking all emails received by the organization, whether they are coming from the outside or from within. The ReversingLabs Titanium platform enables such deep inspection with its elastic file processing capabilities. With our platform, the possibility of checking every email message the organization sees becomes the norm. Deploying such a capability within an organization could make the difference between catching the lateral email movement and missing it altogether.

IOC:
MIME - 5b5d7d74db59c520b72be1e328563a1ee864e8931a0ae7487d753ee3e166de1c

URL:
http://www[.]alahbabgroup[.]com/bakala/verify.php
http://www[.]khuyay[.]org/odin_backup/public/loggoff.php
http://103[.]225[.]168[.]159/admin/verify.php
http://47[.]91[.]56[.]21/verify.php

Read our prior blog in the series on Ransomware in exotic email attachments.

Promotional banner from ReversingLabs encouraging viewers to “Arm your team against phishing attacks.” The image features a stylized 3D book with a tablet on the cover showing a phishing hook pulling credentials from a laptop screen. A red button at the bottom says, “Get the eBook.”

Keep learning

Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Threat Research