A recent cyberattack campaign that may have been motivated by cyber espionage targeted many military and weapons contractor businesses using spear-phishing emails to start a multi-stage infection process meant to deliver an unidentified payload on infected workstations.
In recent months, this covert effort has targeted many European weapons firms, including a potential supplier to the US F-35 Lightning II fighter aircraft programs.
Researchers claim that the attack began in late summer 2022, with at least two prominent military contractor firms as its primary targets.
A phishing email with a ZIP archive attachment that contains a shortcut file posing as a PDF document on “Company & Benefits” is the first step in its infection chain. This file is then used to retrieve a stager, an initial binary that is used to download the required malware, from a remote server.
When the user executes the .lnk file, a robust chain of stagers will start to run. Each stager is written in PowerShell and is tightly obfuscated. Eight different stages or layers were observed in all, each with a variety of tactics.
The last section of code downloads, decrypts, and executes a remote payload called “header.png” from the URL “terma[.]app/s/static/img/header.png”.
“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis. Our attempts to decode the payload would only produce garbage data.”
The use of obfuscated code to prevent examination, as well as scanning for the existence of debugging tools and stopping the execution if the system language is set to Chinese or Russian, are important aspects of its method of operation.
“If the system’s language is set to “*zh*” (Chinese) or to “*ru*” (Russian), then the code will simply exit and the computer will shut down.”
The malware is also programmed to check the physical memory, and if it is less than 4GB, it will silently shut down the machine it is now running on. The malicious script will start deactivating detection engines starting with PowerShell Script Block Logging if all the checks are passed.
When all of these checks pass, the PowerShell stager continues by turning off logging, adding Windows Defender exclusions for LNK, RAR, and EXE files, and establishing persistence through changes to the Windows Registry or a scheduled job.
They concluded the report with
Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis such as leveraging the PowerShell Get-Alias commandlet to perform an invoke expression.