Before you read part 2, please read part one here.
To the Attackers surprise, the CEO has very little online presence. From the website about us page, he took notes of the management team and decided to go through the head of HR. for this story we would call her Mrs Lucy.
There are many approaches to compromise the accounts of Mrs Lucy using a RAT (Remote Access Tool). Let us examine two (2) approaches;
On Facebook, he notices that Mrs Lucy has a low online presence but has been tagged in multiple posts by a lady he later found out to be her daughter. He engages her in a chat, they become pen pals and as weeks go by the plan to meet. After a few meetings, she invites him home. He immediately connects a RAT (Remote Access Tool) to the home network. He could easily compromise the laptop of her daughter by installing a keystroke detection.
Searching the network, the attacker discovered that Mrs Lucy does not take work home and hence he has to turn to plan B. He waits for her to go on break and then he strikes at his chance.
He spoofs an Antivirus company and cold calls the receptionist of the company. In an attempt to sell/upgrade the antivirus of the company (this process is called vishing). She unknowingly divulges the type of antivirus and version they are currently using. With this information, he redesigns a RAT. To avoid being detected by the antivirus, he changed the debug string. This changes the hash value and hence unable to be detected by any or all antivirus. This is like changing the licence plate of a car, it is still the same car but it becomes harder for the police to detect or track it.
Please note: Even when it is uploaded to www.virustotal.com, it doesn’t even detect it. Because the hash it has been programmed to detect as a signature has been changed.
He goes to the social media of the receptionist, get a list of fun things she loves to do and favourite books and colours. On a Friday, he sets off to the office with two chocolate bars, hair all curled up, brown pants, a hat to avoid CCTV cameras and a RAT embedded in his CV which is in his email and a pen drive.
On his arrival at the office, he sat down at the visitors’ lounge and tried to connect to the Wifi, unfortunately for him, it is wep2 encrypted and could see but not understand the traffic when viewed through Wireshark. He boldly walks up to the receptionist with a bar of chocolate in his hand, she seems very friendly. He took off his hat, and used his right hand to caress his curly hair while positioning himself away from the camera then asked if she could send his CV to management and she replied that he has to go through the website to apply. He then said a quote which she recognized very well from her famous book and they got into some discussion exchanging ideas and at times mild arguments. He then told her that he would love to continue the conversation and would appreciate it if he could get a phone number. Unfortunately, the company policies do not allow us to give our contacts during work hours, he then suggested that she can take his CV and get his number off it and call him after work. She reluctantly obliged, on inserting the Pendrive she clicked continue without scanning and open up the CV immediately. Connection Established. As a parting gift, he gave her the second pair of chocolate he brought along, put his hat back on and exited the building.
He went to his car and immediately connected on his remote desktop tracking her work. Clara (the front desk receptionist) locked her system and went for lunch after a few hours. He then accessed her computer from his laptop and got a proper understanding of the network. He studied it for hours trying to find a way to get admin access. IT!!!
At 5:03 pm he quickly sends a message to Bryan at IT impersonating the Clara. He noticed their chat trail and continue by uploading a malicious link containing dresses and asking Bryan casually to pick what dress he thinks would suit her tonight. As Byran clicked on the link, he replied, the link is not working. He (still impersonating her) immediately responds that it’s broken, but thanked him for his assistance anyway. Closing the chat window, he screams on top of his voice “I am coming for you David!!!.
Part 3 would explain how he got to access both private and corporate accounts of Mr David, Request new credits, authorized transactions and made Mr David be in debt of over $2M. Did he cover his tracks well enough? Let us find out.