An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.
The threat actor employed spear-phishing as the means of distribution mechanism.
A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.
The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence.
Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.
There were two campaigns found, and there were a few similarities between them, such as:
There were a few differences between the two campaigns, such as:
A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.
When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.
The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.
When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.
“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.
An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell. With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.
An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) has detected a formidable new cyber threat. Dubbed LockBit Black, this…
In a recent development, Zscaler Inc., a prominent cybersecurity firm, has concluded its investigation into a potential data breach initially…
A notorious threat actor has decided to sell the INC Ransomware code for an unbelievable $300,000. As a result of…
As a sneaky scheme, hackers use DNS tunneling to bypass traditional security measures. By wrapping malicious data inside DNS queries…
iTunes has been found to have an arbitrary code execution vulnerability that might allow attackers to execute malicious code. To…
In a sophisticated cyberattack campaign, hackers are using the online meeting platform GoToMeeting to distribute a Remote Access Trojan known…