ESET investigators have identified a malicious operation against companies in the aerospace and defense sectors, with the possibility that this operation is related to the well-known group of cybercriminals Lazarus.
ESET researchers identify targeted cyber-attacks LinkedIn, which in addition to espionage also aimed at financial gain.
These cyber-attacks are distinguished by the use of techniques spearphishing and their ability to use impressive methods in order to go unnoticed. ESET researchers named this particular operation In(ter)ception with base related malware sample named “Inception.dll,”;
The attacks studied by ESET's team of scientists started with a simple message on LinkedIn. "The message was about a fairly plausible offer work και φαινομενικά προερχόταν από γνωστή company in a related field. Of course, the LinkedIn profile was fake and the files sent were malicious,” comments Dominik Breitenbacher, the ESET malware researcher who analyzed the malware and led the investigation.
The malicious files were sent via LinkedIn messages or emails containing a link to OneDrive. For the second case, the attackers created email accounts that corresponded to fake LinkedIn accounts.
As soon as the recipient opened the file, a seemingly innocent PDF document with payroll information related to the fake job offer appeared. Meanwhile, malware had already been silently installed on the victim's computer. In this way, the attackers were able to gain initial access and a permanent presence in the recipient's system.
The intruders then performed a series of steps described by ESET researchers in Whitepaper with Title "Operation In (ter) ception: Targeted attacks on European aerospace and defense companies”. Some of the tools used by cybercriminals were custom multi-level malware that often appeared as legitimate software, as well as modified versions of open source tools. In addition, cybercriminals used "living-off-the-land" techniques, that is, the use of pre-installed Windows utilities to perform malicious functions.
"The attacks that we investigated brought all the data of an espionage attack, with several indications suggesting a possible link to the notorious Lazarus cybercriminal group. However, neither the analysis of the malware nor the investigation allowed us to gain insight into the files the attackers were targeting,” comments Breitenbacher.
In addition to espionage, ESET investigators found evidence that the intruders tried to use the breached accounts to extract money from other companies.
In electronic post office of the victim, the attackers found emails that the victim had exchanged with a customer regarding an outstanding invoice. The cybercriminals listened to the conversation and urged the customer to repay the invoice – of course, the money would end up in the cybercriminals' bank account. Fortunately, the client of the victim company suspected something was wrong and contacted the victim thus preventing the cyber attack.
"The specific cyber attack for monetary gain through access to the victim network should serve as another incentive for all of us to implement strong intruder protection systems and for companies to educate their employees on cybersecurity issues. Such training could help employees identify lesser-known social engineering techniques, such as those used in Operation In (ter) ception, ”concludes Breitenbacher.
The malicious operation took place from September to December 2019.
For more technical details about Operation In (ter) ception, visit blogpost or download the White Paper from WeLiveSecurity.com.
