APT38 Pharmaceutical Attacks

A chain that bypasses Mark of the Web (MOTW) by using PackMyPayload to create an ISO. The ISO contains a decoy PDF and a malicious executable (a Sliver agent) that when extracted will not contain MOTW. When executed, the Sliver agent will receive a queued instruction from Operator. Similar trust control bypass behaviour was observed in APT38 when targeting the pharmaceutical industry; ISOs were shared with decoy PDFs and backdoored PDF readers to stage malware.

TTP Tuesday: APT38 - Pharmaceutical Attacks

Subverting Mark-of-the-Web trust controls

Theme Overview

In our previous APT38 release, we looked at CryptoSpy initial access via supply chain compromise. This week we're looking at APT38 spearphishing that used trust control subversion techniques against pharmaceutical companies in 2020. In particular, this chain creates an ISO file to subvert Mark of the Web trust controls. When the ISO payload is executed, a queued technique is sent to it using the same method as last week's chain.

Mark-of-the-Web (MOTW)

Mark of the Web (MOTW) is a security feature in Microsoft Windows that uses a file's alternate data stream (ADS) to store the file's ZoneId, information about where the file originates. When downloading a file, browsers (and many other applications) append the ADS ZoneId to the file to indicate the origin.

The ZoneId indicates one of the following trust zones:

  • Local Machine Zone
  • Local Intranet Zone
  • Trusted Sites Zone
  • Internet Zone
  • Restricted Sites Zone

Depending on the ZoneId, such as when the file originates from the Internet zone, execution of the file may be blocked. For an example of MOTW usage, back in 2016 Microsoft Office introduced macro blocking using MOTW. Unfortunately, this Office feature was not enabled by default.

Macros are dead (long live macros)

In February 2022, Microsoft took a huge step toward securing Office users by blocking Internet macros by default in Office. The basic premise is to block by default any file originating from an untrusted zone as identified by MOTW.

Unfortunately, there are some tricks to prevent MOTW from propagating to files under specific circumstances, and for this week's chain we're going to exploit that!

In 2020, Outflank demonstrated that the MOTW flag is not propagated in some container file formats such as ISO. While the container file itself will have MOTW when downloaded, the files contained within do not. This technique is used in phishing and other social engineering attacks whereby a user is tricked into mounting the ISO and executing the contents. In the case of macros originating from the Internet, Office treats them as local files and executes them as expected.


PackMyPayload is a tool written by mgeeky to create container files and bypass MOTW. It's a Python script that can create ISO, IMG, and others, from an input file or directory.

We're using this tool to build our ISO image, that will contain a decoy PDF for an awesome (no, seriously - very cool) job offer and an application to view the PDF. This technique was observed in APT38 when targeting the pharmaceuticals industry in 2020. They used the same pretext, and even followed up with subsequent job postings to keep the pretext alive.

Using the PackMyPaylod TTPs as templates, you'll be able to build your own containers for MOTW evasion. We're looking forward to seeing what you come up with!

Watch a demonstration:

APT38 Pharmaceutical Attacks

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Install PackMyPayload
Embed files in ISO
Host ISO payload
Wait for Sliver agent callback
Queue TTP for Sliver agent

User-Set Custom Variables

  • sliver.agent.path: /tmp/AGENT_NAME.exe