Unlike the high-stakes aerospace espionage carried out by major nation-state and ransomware groups in recent years, this latest bout, documented last week by Blackberry, follows a characteristically old script: a phishing bait-and-switch, template injection, VBA macro code, and so on.
The campaign - split into a testing and execution phase - managed to remain undetected for the better part of a year thanks to thorough anti-analysis protections.
The ultimate success of the campaign, and the nature of any data which might have been accessed, is not yet known.
Aerospace Espionage, via Word The two attacks began, as so many before it have, with lure documents encased in phishing emails.
Once clicked, the attachments revealed Microsoft Word documents with scrambled text.
Mimicking the macros notifications of old, the false flag lured victims into clicking and, unwittingly, retrieving and executing a malicious Microsoft Word template file.
Injected in the template was a legible decoy document, as well as the instructions for a second-stage infection.
The final payload at the end of this chain was a dynamic link library file acting as a reverse shell.
The payload collected and exfiltrated system information and directories, and established persistence by creating a task in Windows Task Scheduler, to trigger every morning at 10:10 AM local time.
The executable used custom encoding for each string, and API hashing with MurmurHash to conceal how it used Windows functions.
It also came fitted with a number of anti-disassembly techniques including control flow obfuscation, splicing data into code, and using dead-code executed instructions - code which gets executed, but whose result has no bearing on the rest of the program - to throw off analysts.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 04 Dec 2023 21:40:24 +0000