29 September 2022

Covert hacker attack targets military contractors


Covert hacker attack targets military contractors

Security researchers shared details on a recent phishing campaign that targeted multiple military and weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft.

The campaign, dubbed ”STEEP#MAVERICK” by Securonix researchers, was carried out in late summer 2022 and involved spear-phishing emails containing a malicious attachment.

The phishing message included a ZIP attachment with a shortcut file (“Company & Benefits.pdf.lnk”), which, once executed, connected to the command and control server and launched a chain of PowerShell scripts that infect the system with malware.

“The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe like we’ve seen in the past. It then takes the powershell.exe executable file and then copies it to C:\Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string,” the researchers noted in their report.

Another notable aspect of this campaign is the use of interesting techniques to evade detection, including code obfuscation to thwart analysis, counter forensics and anti-debugging. The malware also checks the system language settings and if it is set to Chinese or Russian, halts execution. In addition, it verifies the amount of physical memory, and terminates itself if it's less than 4GB. A check for virtualization infrastructure to determine if the malware is being executed in an analysis environment or sandbox is also included.

Once all checks are completed, the PowerShell stager disables logging, adds Windows Defender exclusions for LNK, RAR, and EXE files, and establishes persistence via a scheduled task or Windows Registry modifications.

The researchers have not attributed the attack to any known threat actor.

“Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis such as leveraging the PowerShell Get-Alias commandlet to perform an invoke expression,” the report concludes.

Back to the list

Latest Posts

Microsoft: Russia combines missile and cyberattacks in Ukraine

Microsoft: Russia combines missile and cyberattacks in Ukraine

In parallel with cyber threat activity Russia would likely conduct influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.
5 December 2022
Spanish police dismantle 'Black Panthers' SIM swap group

Spanish police dismantle 'Black Panthers' SIM swap group

The scammers stole about €250,000 from nearly 100 victims.
5 December 2022
Google releases emergency security update to fix Chrome zero-day bug

Google releases emergency security update to fix Chrome zero-day bug

With the new update the tech giant fixed the ninth Chrome zero-day since the start of 2022.
5 December 2022