In a new report published by ESET’s researchers, we learn of Operation In(ter)ception which heavily targeted aerospace and military organizations.
“To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers,” reads the report.
“Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.”
The name In(ter)ception comes from the Inception.dll file dropped by the malware behind these attacks.
It starts with ‘recruiting’
A typical attack scenario begins with a message from a LinkedIn person pretending to be an HR representative or recruiter from companies like Collins Aerospace (previously Rockwell Collins) and General Dynamics, which are major U.S. aerospace and defense companies.
The “job description” sent via LinkedIn messaging to the victim comprises an RAR archive, which further contains an “LNK” file. This LNK file has no purpose but to fire off a command prompt to download a remotely-hosted decoy PDF. After opening the “job description” PDF, the command prompt also initiates processes, such as WMIC.exe and a Task Scheduler activity, to conduct malicious tasks.
The Scheduled Task once created, is designed to run a remotely-fetched XSL script downloading payloads for execution during the following stages of the attack.
The attackers behind the campaign are believed to be Lazarus Group, the same North Korean group that had targeted Sony Pictures during the release of 2014 movie, The Interview.
The multi-step attack is also sophisticated in how it not only renames malicious files to conceal them but alters legitimate Windows tools as well.
“Interestingly, it was not just malicious files that were renamed – the attackers also manipulated the abused Windows utilities. They copied the utilities to a new folder (e.g. C:\NVIDIA) and renamed them (e.g. regsvr32.exe was renamed to NvDaemon.exe),” stated the report.
Further, the researchers observed that the malware was cryptographically signing its malicious components, possibly using stolen certificate keys.
“Second, the attackers digitally signed some components of their malware, namely the custom downloader and backdoor, and the dbxcli tool. The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC. According to our research, 16:20 Software, LLC is an existing company based in Pennsylvania, USA, incorporated in May 2010.”
The malware could be also observed recompiling files several times during its execution.
The major purpose of this attack is to gather and exfiltrate sensitive files and to compromise business accounts. The captured data was seen being uploaded to cloud services, such as Dropbox. This was done using the dbxcli tool – a customised version of Dropbox client bundled with the malware.
The researchers aren’t entirely sure as to what exactly were the adversaries after. However, the understanding is their targets were businesses in an effort to extract technical and business secrets.
“Unfortunately, neither the malware analysis nor the investigation allowed us to gain insight into what files the Operation In(ter)ception attackers were after. However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.”