Security researchers shared details on a recent phishing campaign that targeted multiple military and weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft.
The campaign, dubbed ”STEEP#MAVERICK” by Securonix researchers, was carried out in late summer 2022 and involved spear-phishing emails containing a malicious attachment.
The phishing message included a ZIP attachment with a shortcut file (“Company & Benefits.pdf.lnk”), which, once executed, connected to the command and control server and launched a chain of PowerShell scripts that infect the system with malware.
“The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe like we’ve seen in the past. It then takes the powershell.exe executable file and then copies it to C:\Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string,” the researchers noted in their report.
Another notable aspect of this campaign is the use of interesting techniques to evade detection, including code obfuscation to thwart analysis, counter forensics and anti-debugging. The malware also checks the system language settings and if it is set to Chinese or Russian, halts execution. In addition, it verifies the amount of physical memory, and terminates itself if it's less than 4GB. A check for virtualization infrastructure to determine if the malware is being executed in an analysis environment or sandbox is also included.
Once all checks are completed, the PowerShell stager disables logging, adds Windows Defender exclusions for LNK, RAR, and EXE files, and establishes persistence via a scheduled task or Windows Registry modifications.
The researchers have not attributed the attack to any known threat actor.
“Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis such as leveraging the PowerShell Get-Alias commandlet to perform an invoke expression,” the report concludes.