Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
Researchers have discovered two mysterious cyberattacks on one of the largest companies in the industry.
A team of
Many common techniques were used in both campaigns:
1. Decoy documents were labeled "[hidden]. docx".
2. The final target of the attack was a reverse shell.
3. The IP address of the command and control server (C2) remained unchanged.
However, there are also key differences:
1. In the 2023 attack, the final load was more secretive, and additional methods of hindering analysis were used.
2. In load 2023, a feature has been added that allows you to list directories on infected computers.
The attack begins with a phishing email distributing a malicious Microsoft Word document called "[hidden]. docx". When opening it, the victim sees text written in illegible font and a message asking them to activate the content for viewing in MS Office. Activation results in downloading the second stage of the attack-the "[hidden].dotm " file.
Document in формате.docx received by the victim, uses the remote template injection technique (according to the MITRE ATT&CK classification, code T1221) to initiate the second stage of infection. This technique allows an attacker to inject malware into a document via a remote template.
After opening and activating it документа.docx, hidden.dotm is automatically downloaded to your computer. . dotm is a Microsoft Word template that includes specific settings and macros.
At the second stage of the attack, the macros themselves pose a threat. They perform two key functions: first, they run the library embedded in the document obtained in the first stage. Second, they copy it to a pre-determined location on the victim's hard drive.
The final load is a DLL file that acts as a reverse shell that connects to the C2 server. It allows you to open ports on target devices, providing full control over them. The DLL is also capable of listing all directories on an infected system and uses sophisticated obfuscation and anti-detection techniques.
The researchers found two malware samples dating back to mid-2022, which are also reverse shells pointing to the same IP address as the 2023 samples.
Improvements to the tools used by this group indicate that it has been active for at least a year. However, the identities of the participants remain unknown.
Given the high level of complexity of the techniques used by hackers, as well as the time frame of attacks, it can be concluded that the goal of the campaign was commercial cyber espionage. Most likely, they were trying to gather information about the internal structure and resources of the attacked organization in order to correctly calculate the ransom amount and identify leverage in the future.
A team of
You do not have permission to view link
Log in or register now.
researchers has identified two cyberattacks carried out by a previously unknown group codenamed AeroBlade. Their goal was one of the leading companies in the American aerospace industry. The first phase of the attack occurred in September 2022 and, apparently, served as a kind of"rehearsal". The second one was recorded in July 2023.Many common techniques were used in both campaigns:
1. Decoy documents were labeled "[hidden]. docx".
2. The final target of the attack was a reverse shell.
3. The IP address of the command and control server (C2) remained unchanged.
However, there are also key differences:
1. In the 2023 attack, the final load was more secretive, and additional methods of hindering analysis were used.
2. In load 2023, a feature has been added that allows you to list directories on infected computers.
The attack begins with a phishing email distributing a malicious Microsoft Word document called "[hidden]. docx". When opening it, the victim sees text written in illegible font and a message asking them to activate the content for viewing in MS Office. Activation results in downloading the second stage of the attack-the "[hidden].dotm " file.
Document in формате.docx received by the victim, uses the remote template injection technique (according to the MITRE ATT&CK classification, code T1221) to initiate the second stage of infection. This technique allows an attacker to inject malware into a document via a remote template.
After opening and activating it документа.docx, hidden.dotm is automatically downloaded to your computer. . dotm is a Microsoft Word template that includes specific settings and macros.
At the second stage of the attack, the macros themselves pose a threat. They perform two key functions: first, they run the library embedded in the document obtained in the first stage. Second, they copy it to a pre-determined location on the victim's hard drive.
The final load is a DLL file that acts as a reverse shell that connects to the C2 server. It allows you to open ports on target devices, providing full control over them. The DLL is also capable of listing all directories on an infected system and uses sophisticated obfuscation and anti-detection techniques.
The researchers found two malware samples dating back to mid-2022, which are also reverse shells pointing to the same IP address as the 2023 samples.
Improvements to the tools used by this group indicate that it has been active for at least a year. However, the identities of the participants remain unknown.
Given the high level of complexity of the techniques used by hackers, as well as the time frame of attacks, it can be concluded that the goal of the campaign was commercial cyber espionage. Most likely, they were trying to gather information about the internal structure and resources of the attacked organization in order to correctly calculate the ransom amount and identify leverage in the future.