ESET researchers have discovered an operation, with a possible link to the infamous Lazarus group, aimed at targeting aerospace and military companies through the use of spear phishing, unconventional and customized multi-stage malware
ESET researchers have discovered highly targeted cyber attacks, known for the use of LinkedIn-based spear phishing, with the use of effective tricks to avoid being detected, with the dual aim of stealing confidential data and obtaining financial gain. The attacks, which ESET researchers dubbed Operation In (ter) ception, based on the related malware sample “Inception.dll,” took place from September to December 2019.
The intrusions that ESET researchers detected originated from a LinkedIn message. "The message contained a fairly credible job offer, apparently coming from well-known companies in relevant sectors. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious, ”commented Dominik Breitenbacher, the ESET researcher who analyzed the malware and conducted the investigation.
The files were sent directly via LinkedIn messages or via email containing a OneDrive link. For the latter option, the attackers had created e-mail accounts corresponding to the fake LinkedIn profiles.
Once the recipient opened the file, they viewed a seemingly harmless PDF document with information about the fake job offer. Simultaneously with the opening of the file, the malware installed itself, undetected, on the victim's computer. In this way, the attackers were able to establish a connection to the victim's device.
Later, the hackers took a series of steps that ESET studied and described in the white paper "Operation In (ter) ception: targeted attacks against European aerospace and military companies. " Among the tools used by the attackers was custom multistage malware that often appears as legitimate software, modified versions of open-source tools and so-called "Living off the land" techniques that improperly use pre-installed Windows utilities to perform various malicious operations .
“The attacks we studied showed all the signs of espionage, with several clues suggesting a possible connection with the infamous Lazarus group. However, neither the malware analysis nor the investigation allowed us to obtain information about the files the attackers were targeting, ”Breitenbacher commented.
In addition to spying, ESET researchers also documented that attackers attempted to use compromised accounts to steal money.
Among the victims' emails, for example, the attackers found a communication with a customer regarding an unpaid bill. Following the exchange of communications, they entered by urging the customer to pay, obviously by entering their bank details. Fortunately, in that case, the customer became suspicious and contacted the victim for further confirmation, thus defeating the attackers' attempt to carry out a so-called "business email compromise attack".
“This attempt to monetize victims' network access should serve as an incentive to establish strong intrusion defenses and provide cybersecurity training for employees. This would make it possible to recognize even lesser known social engineering techniques, such as those used in the In (ter) reception operation ", concludes Breitenbacher.
More technical details on the In (ter) reception operation in blogpost complete and in the white paper "OperationIn (ter) reception: Targeted attacks against European aerospace and military companies”Your WeLiveSecurity. its ESET Research Twitter the latest news from ESET Research.
