A previously undocumented threat actor has been implicated in a cyber attack targeting a US aerospace organization as part of a suspected cyber espionage mission.
The BlackBerry Threat Research and Intelligence team tracked the group’s activity as AeroBlade. Its origin is currently unknown and it is unclear if the attack was successful.
“The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contained an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage of final execution of the payload,” the company said. SAYS in an analysis published last week.
Learn Insider Threat Detection using Application Response Strategies
Learn how application detection, response, and automated behavior modeling can transform your defense against content threats.
The network infrastructure used for the attack was said to be live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the enemy had made took steps to improvise his toolset to make it more stealthy in the intervening period of time.
The first attack, which took place in September 2022, started with a phishing email with a Microsoft Word attachment that, when opened, used a technique called. remote template injection to get the next stage payload executed after the victim enable macros.
The attack chain ultimately led to the deployment of a dynamic-link library (DLL) that acted as a reverse shell, connecting to a hard-coded command-and-control (C2) server and sending of system information to attackers.
The information gathering capabilities also include enumerating the complete list of directories on the infected host, indicating that this may be a reconnaissance effort made to see if the machine is hosting any important data and help its operators strategize their next steps.
“Reverse shells allow attackers to open ports on target machines, force communication and conduct a complete takeover of the device,” Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, said. “So this is a serious security threat.”
The heavily obfuscated DLL also comes with anti-analysis and anti-disassembly methods to make it challenging to identify and isolate, while also bypassing execution in sandboxed environments. Maintenance is done through a Task Scheduler, where a task named “WinUpdate2” is made to run every day at 10:10 am
“In the time that has passed between the two campaigns that we have observed, the threat actor has put considerable effort into developing additional resources to ensure that they can secure access to the sought-after information, and that they can exfiltrate it successfully,” said Bestuzhev.