Cybercrime

Operation In(ter)ception targeted European Space and Military Companies via LinkedIn

In a new report published by ESET’s researchers, we learn of Operation In(ter)ception which heavily targeted aerospace and military organizations.

“To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers,” reads the report.

“Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.”

The name In(ter)ception comes from the Inception.dll file dropped by the malware behind these attacks.

It starts with ‘recruiting’

A typical attack scenario begins with a message from a LinkedIn person pretending to be an HR representative or recruiter from companies like Collins Aerospace (previously Rockwell Collins) and General Dynamics, which are major U.S. aerospace and defense companies.

Image credit: ESET / We Live Security

The “job description” sent via LinkedIn messaging to the victim comprises an RAR archive, which further contains an “LNK” file. This LNK file has no purpose but to fire off a command prompt to download a remotely-hosted decoy PDF. After opening the “job description” PDF, the command prompt also initiates processes, such as WMIC.exe and a Task Scheduler activity, to conduct malicious tasks.

Image credit: ESET Labs / We Live Security blog

The Scheduled Task once created, is designed to run a remotely-fetched XSL script downloading payloads for execution during the following stages of the attack.

Image credit: ESET Labs / We Live Security blog

The attackers behind the campaign are believed to be Lazarus Group, the same North Korean group that had targeted Sony Pictures during the release of 2014 movie, The Interview.

The multi-step attack is also sophisticated in how it not only renames malicious files to conceal them but alters legitimate Windows tools as well.

“Interestingly, it was not just malicious files that were renamed – the attackers also manipulated the abused Windows utilities. They copied the utilities to a new folder (e.g. C:\NVIDIA) and renamed them (e.g. regsvr32.exe was renamed to NvDaemon.exe),” stated the report.

Further, the researchers observed that the malware was cryptographically signing its malicious components, possibly using stolen certificate keys.

“Second, the attackers digitally signed some components of their malware, namely the custom downloader and backdoor, and the dbxcli tool. The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC. According to our research, 16:20 Software, LLC is an existing company based in Pennsylvania, USA, incorporated in May 2010.”

The malware could be also observed recompiling files several times during its execution.

The major purpose of this attack is to gather and exfiltrate sensitive files and to compromise business accounts. The captured data was seen being uploaded to cloud services, such as Dropbox. This was done using the dbxcli tool – a customised version of Dropbox client bundled with the malware.

The researchers aren’t entirely sure as to what exactly were the adversaries after. However, the understanding is their targets were businesses in an effort to extract technical and business secrets.

“Unfortunately, neither the malware analysis nor the investigation allowed us to gain insight into what files the Operation In(ter)ception attackers were after. However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.”

ESET researchers’ detailed findings have been made available in both the blog post and a PDF research paper.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.