Organizations in aerospace and military sectors in Europe and Middle East have been hit by new sophisticated cyber-espionage campaign, which goal has been to collect technical and business-related information, security researchers from ESET revealed.
The campaign, dubbed “Operation In(ter)reception,” has been active between September and December 2019 and involved the use of fake accounts on LinkedIn that posted bogus job offers through which attackers attempted to compromise their targets and deliver cyber espionage tools.
The attackers have set up fictitious LinkedIn accounts impersonating HR managers of well-known companies in the aerospace and defense industry, such as Collins Aerospace and General Dynamics.
“Once the attackers had the targets’ attention, they snuck malicious files into the conversation, masqueraded as documents related to the job offer in question. To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files,” the researchers said.
The malicious file was a RAR archive containing a LNK file, which, in turn, opened a PDF document purportedly containing salary information of specific job offers in the target’s default browser. This PDF file executed Windows' Command Prompt utility to perform a series of actions that allowed the attackers to gain an initial foothold on the targeted host.
ESET said the campaign operators used a variety of malicious tools, including custom, multistage malware, and modified versions of open-source tools:
-
Custom downloader (Stage 1)
-
Custom backdoor (Stage 2)
-
A modified version of PowerShdll – a tool for running PowerShell code without the use of powershell.exe
-
Custom DLL loaders used for executing the custom malware Beacon DLL, likely used for verifying connections to remote servers
-
A custom build of dbxcli – an open-source, command-line client for Dropbox; used for data exfiltration
While the primary goal of the Operation In(ter)reception campaign was cyber espionage, in some of the cases the researchers observed the attackers attempting to use the compromised accounts within the target organizations to launch BEC attacks against other businesses.
“First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account. For further communication with the customer, they used their own email address mimicking the victim’s,” ESET wrote.
“Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.”
ESET said it did not find concrete evidence tying the attacks to a known threat actor, but the firm suspects the involvement of Lasarus Group hackers, previously linked to North Korea by security researchers, based on the similarities in targeting, use of fake LinkedIn accounts and anti-analysis techniques.
“Besides that, we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group,” the security firm said.
