Securonix Threat Labs has identified a new covert attack campaign targeting Military and Weapons Contractor companies including an F-35 Lightning II fighter aircraft components supplier.
This campaign involved the use of PowerShell, secured C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
Experts say ‘SpearPhishing’ was the primary means of initial compromise. Also, the attacks targeted at least two high-profile military contractor companies.
‘Spear phishing’ is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
The infection phase started initially with phishing email sent to the target containing a malicious attachment. This was similar to the STIFF#BIZON campaign reported earlier. The email has a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.
To avoid detection, the shortcut file attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe, and it relies on the unusual “C:\Windows\System32\ForFiles.exe” command to execute commands.
The obfuscation techniques include reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.
Researchers say the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.
If the check fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.
Subsequently, if all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for “.lnk,” “.rar,” and “.exe” files and also for directories critical for the function of the malware.
“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis,” Securonix
“Our attempts to decode the payload would only produce garbage data.”
Domains Used In Various Portions of the Attack Chain:
Therefore, this attack was sophisticated with the malicious threat actor paying specific attention to opsec. Researchers say in this case, ‘Persistence’ is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.
Download Free SWG – Secure Web Filtering – E-book
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…