Cyber Security News

Hackers Targeting Multiple Military & Weapons Contractor Companies Using Powershell Stagers

Securonix Threat Labs has identified a new covert attack campaign targeting Military and Weapons Contractor companies including an F-35 Lightning II fighter aircraft components supplier.

This campaign involved the use of PowerShell, secured C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.

Spear Phishing Attack

Experts say ‘SpearPhishing’ was the primary means of initial compromise. Also, the attacks targeted at least two high-profile military contractor companies.

‘Spear phishing’ is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Attack Chain

The infection phase started initially with phishing email sent to the target containing a malicious attachment. This was similar to the STIFF#BIZON campaign reported earlier. The email has a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.

Company & Benefits.pdf.lnk

To avoid detection, the shortcut file attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe, and it relies on the unusual “C:\Windows\System32\ForFiles.exe” command to execute commands.

The obfuscation techniques include reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.

Researchers say the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.

If the check fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.

Subsequently, if all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for “.lnk,” “.rar,” and “.exe” files and also for directories critical for the function of the malware.

“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis,” Securonix

“Our attempts to decode the payload would only produce garbage data.”

Domains Used In Various Portions of the Attack Chain:

  • terma[.]dev
  • terma[.]icu
  • terma[.]app
  • terma[.]vip
  • terma[.]wiki
  • terma[.]pics
  • terma[.]lol
  • terma[.]ink

Therefore, this attack was sophisticated with the malicious threat actor paying specific attention to opsec. Researchers say in this case, ‘Persistence’ is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.

Download Free SWG – Secure Web Filtering – E-book


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago