A previously unknown threat actor has been linked to a cyber attack targeting an aerospace organization in the US, which is suspected to be a cyber espionage mission.
The BlackBerry Threat Research and Intelligence team is tracking the activity cluster known as AeroBlade. Its origin is currently unknown and it is unclear whether the attack was successful or not.
“The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution,” the company said in an analysis published last week.
The network infrastructure used for the attack is said to have gone live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the adversary took steps to improvise its toolset to make it more stealthy in the intervening time period.
The initial attack, which took place in September 2022, commenced with a phishing email bearing a Microsoft Word attachment that, when opened, used a technique called remote template injection to retrieve a next-stage payload that’s executed after the victim enables macros.
The attack chain ultimately led to the deployment of a dynamic-link library (DLL) that functions as a reverse shell, connecting to a hard-coded command-and-control (C2) server and transmitting system information to the attackers.
The information gathering capabilities also include enumerating the complete list of directories on the infected host, indicating that this could be a reconnaissance effort carried out to see if the machine hosts any valuable data and aid its operators in strategizing their next steps.
“Reverse shells allow attackers to open ports to target machines, force communications, and completely take over the device,” said Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry. “So this is a serious security threat.”
The heavily obfuscated DLL is also equipped with anti-analysis and anti-disassembly techniques, making it challenging to detect and isolate, as well as preventing execution on sandboxed environments. Persistence is accomplished through a task scheduler, creating a task called “WinUpdate2” to run every day at 10:10 am.
“During the time that elapsed between the two campaigns we observed, the threat actor put considerable effort into developing additional resources to ensure they could secure access to the sought-after information, and that they could exfiltrate it successfully,” Bestuzhev said.