An unregistered attacker was involved in cyber espionage targeting the US aerospace organization
“The group used targeted phishing. As a delivery mechanism for the malware, they attached a document to an email that embedded remote template injection techniques and malicious VBA. Although the network infrastructure used in the attack reportedly began functioning around September 2022, the attack phase took place almost a year later, in July 2023. The attacker has improved his toolset to become more stealthy during this period.
The first attack, which took place in September 2022, started with a phishing email with a Microsoft Word attachment, which when opened, the fraudsters used a technique called remote pattern execution to execute a macro after the victim allowed the macro to perform the data download step itself. The chain of attacks eventually led to the deployment of a dynamic link library (DLL) that acts as a reverse shell, connecting to a hard-coded Command and Control (C2) server and delivering system information to the attackers directly into the pens.
“This is a serious security threat. Reverse shells allow attackers to open ports on hijacked machines, providing communication and full control over the device,” said Dmytro Bestuzhev, BlackBerry’s senior director of cyber threat analysis.
The chain of attacks eventually led to the deployment of a dynamic link library (DLL) that acted as a reverse shell, connecting to a hard-coded command and control (C2) server and sending system information to the attacker. The intelligence-gathering capabilities also include enumerating a complete list of directories on the infected host, indicating that this may be a reconnaissance operation conducted to find out if any valuable data is stored on the machine and help its operators strategize their next steps A heavily obfuscated DLL is also equipped with anti-analysis and anti-disassembly methods, making it difficult to detect and disassemble. Persistence is achieved using the Task Scheduler, which creates a task called “WinUpdate2” to run every day at 10:10 AM. “During the hour that passed between the two campaigns we observed, the threat actor made significant efforts to develop additional resources to allow them access to the information they needed and successfully steal it,” Bestuzhev said.
