Organizations in the aerospace and military sectors were compromised in a highly targeted cyber-espionage campaign that shows a possible link to North Korean hackers, ESET reveals.
Active since September 2019 and still ongoing, Operation In(ter)ception hit companies in Europe and the Middle East through fake accounts on LinkedIn that posted bogus job offers. The attacks appear to have been focused mainly on espionage, but a business email compromise attempt was also discovered.
The threat actor behind these attacks remains unknown, but ESET believes it could be linked to the infamous North Korean state-sponsored group Lazarus, based on targeting, the use of fake LinkedIn accounts, development tools, and anti-analysis methods. Furthermore, one of the observed stage 1 malware variants carried a sample of Lazarus-attributed NukeSped.
“The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to the infamous Lazarus group. However, neither the malware analysis nor the investigation allowed us to gain insight into what files the attackers were aiming for,” ESET researcher Dominik Breitenbacher comments.
Fake LinkedIn accounts claiming to be HR representatives at well-known aerospace and defense companies such as U.S.-based Collins (formerly Rockwell Collins) and General Dynamics were created for each of the targeted organizations.
Attractive bogus jobs were offered and, once the victim’s attention was captured, the attackers sent over password-protected archives containing LNK files that started a command prompt to open a decoy PDF in the browser.
Unbeknown to the victim, the command prompt created a new folder on the machine, copied the WMIC.exe utility to it, and set up persistence for it via a scheduled task. WMIC was used to interpret remote XSL scripts, certutil for payload decoding, and rundll32/regsvr32 for malware execution.
The attackers used a multitude of malicious tools, including a custom downloader (stage 1) and a backdoor (stage 2), a modified version of PowerShell, custom DLL loaders, a beacon DLL, and a custom build of the open-source command-line client for Dropbox dbxcli.
PowerShell commands were used for reconnaissance, such as querying Active Directory for a list of employees, including administrator accounts (which were later brute-forced).
ESET’s security researchers also discovered that the threat actor put a lot of effort into remaining undetected: files and folders were named so that they would seem legitimate, malware components were digitally signed, the stage 1 downloader was recompiled multiple times, and anti-analysis techniques were implemented in the malware.
The Dropbox client dbxcli was used for data exfiltration, but the researchers could not gain insight into the files that the attackers were after, but believe that they might have targeted technical and business-related information.
As part of one attack, the adversary also attempted to perform business email compromise, by tricking a victim company’s customer into sending the payment for a pending invoice to an attacker-controlled account. The attack, however, was unsuccessful, as the customer became suspicious.
WMI commands were likely used for lateral movement within the compromised environments, but the attackers removed deployed files from the hacked computers after moving to new systems.
“Our research into Operation In(ter)ception shows again how effective spearphishing can be for compromising a target of interest. […] Unafraid of direct contact, the attackers chatted with the victims to convince them to open malicious files. Once they succeeded, they had their initial foothold inside the victim companies,” ESET notes.