Hackers Targeting Multiple Military & Weapons Contractor Companies Using Powershell Stagers

Securonix Threat Labs has identified a new covert attack campaign targeting Military and Weapons Contractor companies including an F-35 Lightning II fighter aircraft components supplier.

This campaign involved the use of PowerShell, secured C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.


Spear Phishing Attack

Experts say ‘SpearPhishing’ was the primary means of initial compromise. Also, the attacks targeted at least two high-profile military contractor companies.

‘Spear phishing’ is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Attack Chain

The infection phase started initially with phishing email sent to the target containing a malicious attachment. This was similar to the STIFF#BIZON campaign reported earlier. The email has a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.

Company & Benefits.pdf.lnk

To avoid detection, the shortcut file attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe, and it relies on the unusual “C:\Windows\System32\ForFiles.exe” command to execute commands.

The obfuscation techniques include reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.

Researchers say the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.

If the check fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.

Subsequently, if all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for “.lnk,” “.rar,” and “.exe” files and also for directories critical for the function of the malware.

“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis,” Securonix

“Our attempts to decode the payload would only produce garbage data.”

Domains Used In Various Portions of the Attack Chain:

  • terma[.]dev
  • terma[.]icu
  • terma[.]app
  • terma[.]vip
  • terma[.]wiki
  • terma[.]pics
  • terma[.]lol
  • terma[.]ink

Therefore, this attack was sophisticated with the malicious threat actor paying specific attention to opsec. Researchers say in this case, ‘Persistence’ is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.