ESET investigators have identified a malicious operation against companies in the aerospace and defense sectors, with the possibility that this operation is related to the well-known group of cybercriminals Lazarus.
ESET researchers identify targeted cyber-attacks LinkedIn, which in addition to espionage also aimed at financial gain.
These cyber-attacks are distinguished by the use of techniques spearphishing and their ability to use impressive methods in order not to be perceived. ESET researchers named the company In (ter) ception based on a sample of related malware called "Inception.dll,".
The attacks studied by the ESET team of scientists began with a simple message on LinkedIn. "The message was about a very plausible job offer and apparently came from a well-known company in a relevant field. Of course, the LinkedIn profile was fake and the files sent were malicious, "said Dominik Breitenbacher, a malicious ESET researcher who analyzed the malware and led the investigation.
The malicious files were sent via LinkedIn messages or emails containing a link to OneDrive. For the second case, the attackers created email accounts that corresponded to fake LinkedIn accounts.
As soon as the recipient opened the file, a seemingly innocent PDF document with payroll information related to the fake job offer appeared. Meanwhile, malware had already been silently installed on the victim's computer. In this way, the attackers were able to gain initial access and a permanent presence in the recipient's system.
The intruders then performed a series of steps described by ESET researchers in Whitepaper with Title "Operation In (ter) ception: Targeted attacks on European aerospace and defense companies”. Some of the tools used by cybercriminals were custom multi-level malware that often appeared as legitimate software, as well as modified versions of open source tools. In addition, cybercriminals used "living-off-the-land" techniques, that is, the use of pre-installed Windows utilities to perform malicious functions.
"The attacks which we investigated bore all the evidence of an attack aimed at espionage, with several indications suggesting a possible connection to the famous cybercrime group Lazarus. However, neither the malware analysis nor the research allowed us to get an idea of the files that the intruders were targeting, ”comments Breitenbacher.
In addition to espionage, ESET investigators found evidence that the intruders tried to use the breached accounts to extract money from other companies.
In the victim's e-mail, the intruders located emails that the victim had exchanged with his client about an invoice that was pending. The cybercriminals monitored the discussion and urged the customer to pay the bill - of course, the money would end up in the cybercriminals' bank account. Fortunately, the victim's client suspected that something was wrong and contacted the victim, thus preventing the cyber attack.
"The specific cyber attack for monetary gain through access to the victim network should serve as another incentive for all of us to implement strong intruder protection systems and for companies to educate their employees on cybersecurity issues. Such training could help employees identify lesser-known social engineering techniques, such as those used in Operation In (ter) ception, ”concludes Breitenbacher.
The malicious operation took place from September to December 2019.
For more technical details about Operation In (ter) ception, visit blogpost or download the White Paper from WeLiveSecurity.com.