Stealthy hackers target military and weapons contractors in recent attack

Stealthy hackers target military and weapons contractors in recent attack

  • September 28, 2022
  •  
  • 12:06 PM ET 9:06 AM PT
  •  
  • 0

F35 Lightning Jet

Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.

The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems.

The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.

Analysts at Securonixdiscovered discovered the attacks but couldn't attribute the campaign to any known threat actors, even though some similarities with past APT37 (Konni) attacks are mentioned in the report.

Targeting employees

The phishing email targeting employees includes a ZIP attachment that contains a shortcut file ("Company & Benefits.pdf.lnk"), which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.

Interestingly, the shortcut file doesn't use the commonly abused "cmd.exe" or "powershell.exe" tools but instead relies on the unusual "C:\Windows\System32\ForFiles.exe" command to execute commands.

The next step is to unravel a seven-stage PowerShell execution chain characterized by heavy obfuscation that uses multiple techniques.

Campaign infection chain
Campaign infection chain (Securonix)

The obfuscation techniques seen by Securonix analysts are reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.

Additionally, the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.

Anti-analysis checks performed prior to execution
Anti-analysis checks performed prior to malware execution (Securonix)

If any of these checks fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.

The only case when the malware exits without causing any damage is when the system language is set to either Russian or Chinese.

If all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for ".lnk," ".rar," and ".exe" files and also for directories critical for the function of the malware.

Persistence is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.

Modifying the Registry for persistence
Modifying the Registry for persistence (Securonix)

After the PowerShell stager completes the process, an AES-encrypted final payload ("header.png") is downloaded from the C2.

"While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis," explains the researchers.

"Our attempts to decode the payload would only produce garbage data."

C2 infrastructure

The analysts determined that the domains used for the C2 infrastructure supporting this campaign were registered in July 2022 and hosted on DigitalOcean.

Later, the threat actors moved the domains to Cloudflare to benefit from its CDN and security services, including IP address masking, geoblocking, and HTTPS/TLS encryption.

Some C2 domains mentioned in the report include "terma[.]wiki", "terma[.]ink", "terma[.]dev", "terma[.]app", and "cobham-satcom.onrender[.]com".

All in all, this campaign looks like the work of a sophisticated threat actor who knows how to fly under the radar, so make sure to check hunting queries and shared IoCs in Securonix's report.

Search
Categories
Read More
Play TKO Super Championship Boxing (USA) Super Nintendo SNES
Boxing game developed by Sting in 1992.
By PCMAN 2022-06-28 18:23:34 0 66
Play Star Trek - Starfleet Academy (USA) Super Nintendo SNES
Star Trek: Starfleet Academy is a 3D space combat simulator developed and published by interplay...
By PCMAN 2022-06-28 16:19:08 0 75
Cryptominers hijack $53 worth of system resources to earn $1
Cryptominers hijack $53 worth of system resources to earn $1 September 28, 2022  ...
By PCMAN 2022-09-28 18:17:11 0 64
Play Tetris Attack (USA) (En,Ja) Super Nintendo SNES
Tetris Attack, derived from Panel de Pon in Japan, is one of the founding members of the "swap...
By PCMAN 2022-06-28 18:07:44 0 75
Play Cruis'n World (USA) Nintendo64 N64
By PCMAN 2022-06-28 21:45:30 0 69