Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

ESET researchers uncover targeted attacks against high-profile aerospace and military companies

ESET researchers uncover targeted attacks against high-profile aerospace and military companies

At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.

This blogpost will shed light on how the attacks unfolded. The full research can be found in our white paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

The attacks, which we dubbed Operation In(ter)ception based on a related malware sample named Inception.dll, were highly targeted and clearly intent on staying under the radar.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.

According to our investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

While we did not find strong evidence connecting the attacks to a known threat actor, we discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

Initial compromise

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Figure 1. A fake job offer sent via LinkedIn to employees at one of the targeted companies

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question. Figure 2 shows an example of such a communication.

Figure 2. Communication between the attackers and an employee at one of the targeted companies

To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files.

The shared file was a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.

That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy; in the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.

This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the compromised computer. Figure 3 illustrates the steps leading up to compromise.

Figure 3. Attack scenario from initial contact to compromise

Attacker tools and techniques

The Operation In(ter)ception attackers employed a number of malicious tools, including custom, multistage malware, and modified versions of open-source tools.

We have seen the following components:

  • Custom downloader (Stage 1)
  • Custom backdoor (Stage 2)
  • A modified version of PowerShdll – a tool for running PowerShell code without the use of powershell.exe
  • Custom DLL loaders used for executing the custom malware
  • Beacon DLL, likely used for verifying connections to remote servers
  • A custom build of dbxcli – an open-source, command-line client for Dropbox; used for data exfiltration

Under a typical scenario, the Stage 1 malware – the custom downloader – was downloaded by the remote XSL script (described in the Initial compromise section) and executed using the rundll32 utility. However, we also saw instances where the attackers used one of their custom DLL loaders to run the Stage 1 malware. The main purpose of the custom downloader is to download the Stage 2 payload and run it in its memory.

The Stage 2 payload is a modular backdoor in the form of a DLL written in C++. It periodically sends requests to the server and performs defined actions based on the received commands, such as send basic information about the computer, load a module, or change the configuration. While we didn’t recover any modules received by the backdoor from its C&C server, we did find indications that a module was used to download the PowerShdll.

Besides malware, the adversaries leveraged living off the land tactics, abusing legitimate tools and OS functions to perform various malicious operations, in an attempt to fly under the radar. As for specific techniques, we found that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.

Figure 4 shows how the various components interacted during the malware’s execution.

Figure 4. Malware execution flow

Besides the living off the land techniques, we found that the attackers made special effort to remain undetected.

First, the attackers disguised their files and folders by giving them legitimate-sounding names. For this purpose, the attackers misused the names of known software and companies, such as Intel, NVidia, Skype, OneDrive and Mozilla. For example, we found malicious files with the following paths:

  • C:\ProgramData\DellTPad\DellTPadRepair.exe
  • C:\Intel\IntelV.cgi

Interestingly, it was not just malicious files that were renamed – the attackers also manipulated the abused Windows utilities. They copied the utilities to a new folder (e.g. C:\NVIDIA) and renamed them (e.g. regsvr32.exe was renamed to NvDaemon.exe)

Second, the attackers digitally signed some components of their malware, namely the custom downloader and backdoor, and the dbxcli tool. The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC. According to our research, 16:20 Software, LLC is an existing company based in Pennsylvania, USA, incorporated in May 2010.

Third, we found that the Stage 1 malware was recompiled multiple times throughout the operation.

Finally, the attackers also implemented anti-analysis techniques in their custom malware, such as control-flow flattening and dynamic API loading.

Data gathering and exfiltration

According to our research, the attackers used a custom build of dbxcli, an open-source command-line client for Dropbox, to exfiltrate data gathered from their targets. Unfortunately, neither the malware analysis nor the investigation allowed us to gain insight into what files the Operation In(ter)ception attackers were after. However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.

Business email compromise

In one of the investigated cases, the attackers didn’t just stop at data exfiltration – as a final stage of the operation, they attempted to monetize the access to a victim’s email account through a BEC attack.

First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account, as seen in Figure 5. For further communication with the customer, they used their own email address mimicking the victim’s.

Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.

Figure 5. BEC email sent from a victim’s compromised email account

Attribution hints

Although our investigation didn’t reveal compelling evidence tying the attacks to a known threat actor, we identified several hints suggesting a possible link with the Lazarus group. Notably, we found similarities in targeting, use of fake LinkedIn accounts, the development environment, and anti-analysis techniques used. Besides that, we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group.


Our investigation uncovered a highly targeted operation notable for its compelling, LinkedIn-based social engineering scheme, custom modular malware and cunning detection evasion tricks. Interestingly, while Operation In(ter)ception showed all the signs of cyberespionage, the attackers apparently also had financial gain as a goal, as evidenced by the attempted BEC attack.

Special thanks to Michal Cebák for his work on this investigation.

For the full description of the attacks, as well as technical analysis of the previously undocumented malware and Indicators of Compromise (IoCs), please refer to our paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

IoCs collected from the attacks can also be found on the ESET GitHub repository.

MITRE ATT&CK techniques

Initial AccessT1194Spearphishing via ServiceLinkedIn is used to contact the target and provide a malicious attachment.
ExecutionT1059Command-Line Interfacecmd.exe used to create a scheduled task to interpret a malicious XSL script via WMIC.
T1106Execution through APIMalware uses CreateProcessA API to run another executable.
T1086PowerShellA customized .NET DLL is used to interpret PowerShell commands.
T1117Regsvr32The regsvr32 utility is used to execute malware components.
T1085Rundll32The rundll32 utility is used to execute malware components.
T1053Scheduled TaskWMIC is scheduled to interpret remote XSL scripts.
T1047Windows Management InstrumentationWMIC is abused to interpret remote XSL scripts.
T1035Service ExecutionA service is created to execute the malware.
T1204User ExecutionThe attacker relies on the victim to extract and execute a LNK file from a RAR archive received in an email attachment.
T1220XSL Script ProcessingWMIC is used to interpret remote XSL scripts.
PersistenceT1050New ServiceA service is created to ensure persistence for the malware.
T1053Scheduled TaskUpon execution of the LNK file, a scheduled task is created that periodically executes WMIC.
Defense EvasionT1116Code SigningMalware signed with a certificate issued for “16:20 Software, LLC”.
T1140Deobfuscate/Decode Files or Informationcertutil.exe is used to decode base64-encoded malware binaries.
T1070Indicator Removal on HostAttackers attempt to remove generated artifacts.
T1036MasqueradingMalware directories and files are named as, or similar to, legitimate software or companies.
T1027Obfuscated Files or InformationMalware is heavily obfuscated and delivered in base64-encoded form.
T1117Regsvr32The regsvr32 utility is used to execute malware components.
T1085Rundll32The rundll32 utility is used to execute malware components.
T1078Valid AccountsAdversary uses compromised credentials to log into other systems.
T1220XSL Script ProcessingWMIC is used to interpret remote XSL scripts.
Credential AccessT1110Brute ForceAdversary attempts to brute-force system accounts.
DiscoveryT1087Account DiscoveryAdversary queries AD server to obtain system accounts.
T1012Query RegistryMalware has ability to query registry to obtain information such as Windows product name and CPU name.
T1018Remote System DiscoveryAdversary scans IP subnets to obtain list of other machines.
T1082System Information DiscoveryMalware has ability to gather information such as Windows product name, CPU name, username, etc.
CollectionT1005Data from Local SystemAdversary collects sensitive data and attempts to upload it using the Dropbox CLI client.
T1114Email CollectionAdversary has access to a victim’s email and may utilize it for a business email compromise attack
Command and ControlT1071Standard Application Layer ProtocolMalware uses HTTPS protocol.
ExfiltrationT1002Data CompressedExfiltrated data is compressed by RAR.
T1048Exfiltration Over Alternative ProtocolExfiltrated data is uploaded to Dropbox using its CLI client.
T1537Transfer Data to Cloud AccountExfiltrated data is uploaded to Dropbox.