ESET investigators have identified a malicious operation against companies in the aerospace and defense sectors, with the possibility that this operation is related to the well-known group of cybercriminals Lazarus.
ESET researchers identify targeted cyber-attacks LinkedIn, which in addition to espionage also aimed at financial gain.
These cyber-attacks are distinguished by the use of techniques spearphishing and their ability to use impressive methods in order not to be perceived. ESET researchers named the company In (ter) ception based on a sample of related malware called "Inception.dll,".
The attacks studied by ESET's team of scientists started with a simple message on LinkedIn. "The message referred to a fairly plausible job offer and apparently came from someone she knew company σε σχετικό τομέα. Φυσικά, το προφίλ στο LinkedIn ήταν false and the files sent were malicious,” comments Dominik Breitenbacher, the ESET malware researcher who analyzed the malware and led the investigation.
The malicious files were sent via LinkedIn messages or via email containing a link to OneDrive. For the second case, the attackers created email accounts that corresponded to the fake LinkedIn accounts.
As soon as the recipient opened the file, a seemingly innocent PDF document with payroll information related to the fake job offer appeared. Meanwhile, malware had already been silently installed on the victim's computer. In this way, the attackers were able to gain initial access and a permanent presence in the recipient's system.
The intruders then performed a series of steps described by ESET researchers in Whitepaper with Title "Operation In (ter) ception: Targeted attacks on European aerospace and defense companies". Some of the tools used by cybercriminals were custom multi-layered malware often masquerading as legitimate software, as well as modified versions of open source tools. In addition, cybercriminals utilized “living-off-the-land” techniques, i.e. use of pre-installed auxiliary tools of Windows to perform malicious operations.
"The attacks which we investigated bore all the evidence of an attack aimed at espionage, with several indications suggesting a possible connection to the famous cybercrime group Lazarus. However, neither the malware analysis nor the research allowed us to get an idea of the files that the intruders were targeting, ”comments Breitenbacher.
In addition to espionage, ESET investigators found evidence that the intruders tried to use the breached accounts to extract money from other companies.
In the victim's e-mail, the intruders located emails that the victim had exchanged with his client about an invoice that was pending. The cybercriminals monitored the discussion and urged the customer to pay the bill - of course, the money would end up in the cybercriminals' bank account. Fortunately, the victim's client suspected that something was wrong and contacted the victim, thus preventing the cyber attack.
"The specific cyber attack για προσπορισμό χρηματικού οφέλους μέσω της πρόσβασης στο δίκτυο του θύματος θα πρέπει να λειτουργήσει ως ακόμα ένα κίνητρο για να εφαρμόζουμε όλοι ισχυρά συστήματα προστασίας κατά των εισβολέων και για να εκπαιδεύουν οι εταιρείες τους εργαζόμενούς τους σε θέματα κυβερνοασφάλειας. Μια τέτοια εκπαίδευση θα μπορούσε να βοηθήσει τους εργαζομένους να αναγνωρίζουν λιγότερο γνωστές τεχνικές κοινωνικής engineerings, such as those used in Operation In(ter)ception" concludes Breitenbacher.
The malicious operation took place from September to December 2019.
For more technical details about Operation In (ter) ception, visit blogpost or download the White Paper from WeLiveSecurity.com.
