ESET investigators have identified a malicious operation against companies in the aerospace and defense sectors, with the possibility that this operation is related to the well-known group of cybercriminals Lazarus.
ESET researchers identify targeted cyber-attacks LinkedInWhich except from espionage they also aimed for financial gain.
These cyber-attacks are distinguished by the use of techniques spearphishing and their ability to use impressive methods in order to go unnoticed. ESET researchers named the specific operation In(ter)ception based on a sample of related malicioussoftware named “Inception.dll,”.
The attacks studied by the ESET team of scientists began with a simple message on LinkedIn. "The message was about a very plausible job offer and apparently came from a well-known company in a relevant field. Of course, the LinkedIn profile was fake and the files sent were malicious, "said Dominik Breitenbacher, a malicious ESET researcher who analyzed the malware and led the investigation.
The malicious files were sent via LinkedIn messages or emails containing a link to OneDrive. For the second case, the attackers created email accounts that corresponded to fake LinkedIn accounts.
As soon as the recipient opened it archive, a seemingly innocuous PDF document was displayed with payroll information related to the fake job offer. Meanwhile, malware had already been silently installed on the victim's computer. In this way, the attackers were able to gain initial access and permanent presence on the recipient's system.
The intruders then performed a series of steps described by ESET researchers in Whitepaper with Title "Operation In (ter) ception: Targeted attacks on European aerospace and defense companies". Some of the tools used by cybercriminals were custom multi-layered malware often masquerading as legitimate software, as well as modified versions of open source tools. In addition, cybercriminals utilized “living-off-the-land” techniques, i.e. use of pre-installed auxiliary tools of Windows to perform malicious operations.
"The attacks which we investigated bore all the evidence of an attack aimed at espionage, with several indications suggesting a possible connection to the famous cybercrime group Lazarus. However, neither the malware analysis nor the research allowed us to get an idea of the files that the intruders were targeting, ”comments Breitenbacher.
In addition to espionage, ESET investigators found evidence that the intruders tried to use the breached accounts to extract money from other companies.
In the victim's e-mail, the intruders located emails that the victim had exchanged with his client about an invoice that was pending. The cybercriminals monitored the discussion and urged the customer to pay the bill - of course, the money would end up in the cybercriminals' bank account. Fortunately, the victim's client suspected that something was wrong and contacted the victim, thus preventing the cyber attack.
"The specific cyber attack for financial gain through access to the victim's network should act as yet another incentive for all of us to implement strong protection systems against intruders and for companies to educate their employees on cyber issuesbetter safetys. Such training could help workers recognize lesser-known social engineering techniques, such as those used in Operation In(ter)ception,” concludes Breitenbacher.
The malicious operation took place from September to December 2019.
For more technical details about Operation In (ter) ception, visit blogpost or download the White Paper from WeLiveSecurity.com.