Aerospace and military companies in the crosshairs of cyberspies

Operation-interception-inception-aerospace-military-companies-cyberspies-623x432

ESET researchers uncover targeted attacks against high-profile aerospace and military companies.

At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.

This blogpost will shed light on how the attacks unfolded. The full research can be found in our white paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

The attacks, which we dubbed Operation In(ter)ception based on a related malware sample named Inception.dll, were highly targeted and clearly intent on staying under the radar.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.

Initial compromise

According to our investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

While we did not find strong evidence connecting the attacks to a known threat actor, we discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Figure-1-1
Figure 1. A fake job offer sent via LinkedIn to employees at one of the targeted companies

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, masqueraded as documents related to the job offer in question. Figure 2 shows an example of such a communication.

Figure-2-1-768x693
Figure 2. Communication between the attackers and an employee at one of the targeted companies

To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files.

The shared file was a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.

That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy; in the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.

This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the compromised computer. Figure 3 illustrates the steps leading up to compromise.

Figure-3-1-768x227
Figure 3. Attack scenario from initial contact to compromise

Attacker tools and techniques

The Operation In(ter)ception attackers employed a number of malicious tools, including custom, multistage malware, and modified versions of open-source tools.

We have seen the following components:

  • Custom downloader (Stage 1)
  • Custom backdoor (Stage 2)
  • A modified version of PowerShdll – a tool for running PowerShell code without the use of powershell.exe
  • Custom DLL loaders used for executing the custom malware
  • Beacon DLL, likely used for verifying connections to remote servers
  • A custom build of dbxcli – an open-source, command-line client for Dropbox; used for data exfiltration

Under a typical scenario, the Stage 1 malware – the custom downloader – was downloaded by the remote XSL script (described in the Initial compromise section) and executed using the rundll32 utility. However, we also saw instances where the attackers used one of their custom DLL loaders to run the Stage 1 malware. The main purpose of the custom downloader is to download the Stage 2 payload and run it in its memory.

The Stage 2 payload is a modular backdoor in the form of a DLL written in C++. It periodically sends requests to the server and performs defined actions based on the received commands, such as send basic information about the computer, load a module, or change the configuration. While we didn’t recover any modules received by the backdoor from its C&C server, we did find indications that a module was used to download the PowerShdll.

Besides malware, the adversaries leveraged living off the land tactics, abusing legitimate tools and OS functions to perform various malicious operations, in an attempt to fly under the radar. As for specific techniques, we found that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.

Figure 4 shows how the various components interacted during the malware’s execution.

Figure-4-1-768x913
Figure 4. Malware execution flow

Besides the living off the land techniques, we found that the attackers made special effort to remain undetected.

First, the attackers disguised their files and folders by giving them legitimate-sounding names. For this purpose, the attackers misused the names of known software and companies, such as Intel, NVidia, Skype, OneDrive and Mozilla. For example, we found malicious files with the following paths:

  • C:\ProgramData\DellTPad\DellTPadRepair.exe
  • C:\Intel\IntelV.cgi

Interestingly, it was not just malicious files that were renamed – the attackers also manipulated the abused Windows utilities. They copied the utilities to a new folder (e.g. C:\NVIDIA) and renamed them (e.g. regsvr32.exe was renamed to NvDaemon.exe)

Second, the attackers digitally signed some components of their malware, namely the custom downloader and backdoor, and the dbxcli tool. The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC. According to our research, 16:20 Software, LLC is an existing company based in Pennsylvania, USA, incorporated in May 2010.

Third, we found that the Stage 1 malware was recompiled multiple times throughout the operation.

Finally, the attackers also implemented anti-analysis techniques in their custom malware, such as control-flow flattening and dynamic API loading.

Data gathering and exfiltration

According to our research, the attackers used a custom build of dbxcli, an open-source command-line client for Dropbox, to exfiltrate data gathered from their targets. Unfortunately, neither the malware analysis nor the investigation allowed us to gain insight into what files the Operation In(ter)ception attackers were after. However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.

Business email compromise

In one of the investigated cases, the attackers didn’t just stop at data exfiltration – as a final stage of the operation, they attempted to monetize the access to a victim’s email account through a BEC attack.

First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account, as seen in Figure 5. For further communication with the customer, they used their own email address mimicking the victim’s.

Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.

Figure-5-1-768x340
Figure 5. BEC email sent from a victim’s compromised email account

Attribution hints

Although our investigation didn’t reveal compelling evidence tying the attacks to a known threat actor, we identified several hints suggesting a possible link with the Lazarus group. Notably, we found similarities in targeting, use of fake LinkedIn accounts, the development environment, and anti-analysis techniques used. Besides that, we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group.

Conclusion

Our investigation uncovered a highly targeted operation notable for its compelling, LinkedIn-based social engineering scheme, custom modular malware and cunning detection evasion tricks. Interestingly, while Operation In(ter)ception showed all the signs of cyberespionage, the attackers apparently also had financial gain as a goal, as evidenced by the attempted BEC attack.

Special thanks to Michal Cebák for his work on this investigation.

For the full description of the attacks, as well as technical analysis of the previously undocumented malware and Indicators of Compromise (IoCs), please refer to our paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

IoCs collected from the attacks can also be found on the ESET GitHub repository.

MITRE ATT&CK techniques

written by Dominik Breitenbacher, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s