LinkedIn Spear-Phishing Campaign Targets Aerospace, Military Firms
Threat actors have been impersonating HR employees from a major U.S. supplier of aerospace and defense products known as Collins Aerospace and General Dynamics in a spear-phishing campaign through LinkedIn. Targeted individuals are sent fake job offers that include malicious documents designed to download data-exfiltrating malware on the victim’s computer.
Dubbed ‘Operation In(ter)caption,’ the phishing campaign targeted workers at European and Middle Eastern aerospace and military companies. Taking place from September to December of 2019, researchers believe the main goal of the campaign was simple espionage. There does exist, however, one case in which the threat actors utilized a compromised email account in a ‘business email compromise’ attack, in which the actors encouraged a victim’s customer to forward payment on an outstanding invoice to an attacker-controlled bank account, thus showing signs of a potential financial motive behind the attacks.
Researchers at ESET claim that the attacks were “highly targeted and relied on social engineering over LinkedIn and custom, multistage malware. To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the custom malware used in Operation In(ter)ception hasn’t been previously documented.”
The first stage of the campaign began with a fake job offer sent through LinkedIn’s messaging service from a “well-known company in a relevant sector.” These companies included Collins Aerospace as well as General Dynamics, both of which are legitimate corporations within the U.S. The job offer itself consisted of a password protected RAR archive that contained a LNK file that, once opened, contained a seemingly benign PDF document that contained salary information and job descriptions relating to the fake offer.
The PDF itself was used as a decoy, as behind the scenes, the threat actors were able to execute a remote XSL script to download base64-encoded payloads. These payloads were then decoded by the legitimate Windows utility called ‘certutil’, which is used to dump and display certificate authority (CA) information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows utility, rundll32, was used to download and run a PowerShell DLL.
Since the logging of executed PowerShell commands is disabled by default, researchers at ESET couldn’t retrieve the commands used by the malware. They were able to find evidence that the attackers queried the Active Directory server to obtain a list of employees, including administrator accounts, and utilized brute-force password cracking techniques on the admin accounts.
Based on the job titles of the target employees, researchers believe that Operation In(ter)ception targeted technical and business-related information, thus having a goal of espionage. While there doesn’t exist any clear signs of a known threat actor’s involvement, researchers have discovered several hints suggesting a possible link to the Lazarus group, which include “similarities in targeting, development environment, and anti-analysis techniques” being utilized.
The head of trust and safety with LinkedIn, Paul Rockwell, has stated that any accounts created with the intent to mislead or lie to LinkedIn members, as well as perform any fraudulent activities, is a direct violation of LinkedIn’s terms of service; as a result, the attacker owned accounts used in this campaign have been permanently restricted.
Sources: