Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
AeroBlade: Unknown spies targeted the US aerospace industry
Message
<blockquote data-quote="Brianwill" data-source="post: 910" data-attributes="member: 15"><p>Researchers have discovered two mysterious cyberattacks on one of the largest companies in the industry.</p><p></p><p>A team of <a href="https://blogs.blackberry.com/en/author/the-blackberry-research-and-intelligence-team" target="_blank">BlackBerry</a> researchers has identified two cyberattacks carried out by a previously unknown group codenamed AeroBlade. Their goal was one of the leading companies in the American aerospace industry. The first phase of the attack occurred in September 2022 and, apparently, served as a kind of"rehearsal". The second one was recorded in July 2023.</p><p></p><p>Many common techniques were used in both campaigns:</p><p></p><p>1. Decoy documents were labeled "[hidden]. docx".</p><p></p><p>2. The final target of the attack was a reverse shell.</p><p></p><p>3. The IP address of the command and control server (C2) remained unchanged.</p><p></p><p>However, there are also key differences:</p><p></p><p>1. In the 2023 attack, the final load was more secretive, and additional methods of hindering analysis were used.</p><p></p><p>2. In load 2023, a feature has been added that allows you to list directories on infected computers.</p><p></p><p>The attack begins with a phishing email distributing a malicious Microsoft Word document called "[hidden]. docx". When opening it, the victim sees text written in illegible font and a message asking them to activate the content for viewing in MS Office. Activation results in downloading the second stage of the attack-the "[hidden].dotm " file.</p><p></p><p>Document in формате.docx received by the victim, uses the remote template injection technique (according to the MITRE ATT&CK classification, code T1221) to initiate the second stage of infection. This technique allows an attacker to inject malware into a document via a remote template.</p><p></p><p>After opening and activating it документа.docx, hidden.dotm is automatically downloaded to your computer. . dotm is a Microsoft Word template that includes specific settings and macros.</p><p></p><p>At the second stage of the attack, the macros themselves pose a threat. They perform two key functions: first, they run the library embedded in the document obtained in the first stage. Second, they copy it to a pre-determined location on the victim's hard drive.</p><p></p><p>The final load is a DLL file that acts as a reverse shell that connects to the C2 server. It allows you to open ports on target devices, providing full control over them. The DLL is also capable of listing all directories on an infected system and uses sophisticated obfuscation and anti-detection techniques.</p><p></p><p>The researchers found two malware samples dating back to mid-2022, which are also reverse shells pointing to the same IP address as the 2023 samples.</p><p></p><p>Improvements to the tools used by this group indicate that it has been active for at least a year. However, the identities of the participants remain unknown.</p><p></p><p>Given the high level of complexity of the techniques used by hackers, as well as the time frame of attacks, it can be concluded that the goal of the campaign was commercial cyber espionage. Most likely, they were trying to gather information about the internal structure and resources of the attacked organization in order to correctly calculate the ransom amount and identify leverage in the future.</p></blockquote><p></p>
[QUOTE="Brianwill, post: 910, member: 15"] Researchers have discovered two mysterious cyberattacks on one of the largest companies in the industry. A team of [URL='https://blogs.blackberry.com/en/author/the-blackberry-research-and-intelligence-team']BlackBerry[/URL] researchers has identified two cyberattacks carried out by a previously unknown group codenamed AeroBlade. Their goal was one of the leading companies in the American aerospace industry. The first phase of the attack occurred in September 2022 and, apparently, served as a kind of"rehearsal". The second one was recorded in July 2023. Many common techniques were used in both campaigns: 1. Decoy documents were labeled "[hidden]. docx". 2. The final target of the attack was a reverse shell. 3. The IP address of the command and control server (C2) remained unchanged. However, there are also key differences: 1. In the 2023 attack, the final load was more secretive, and additional methods of hindering analysis were used. 2. In load 2023, a feature has been added that allows you to list directories on infected computers. The attack begins with a phishing email distributing a malicious Microsoft Word document called "[hidden]. docx". When opening it, the victim sees text written in illegible font and a message asking them to activate the content for viewing in MS Office. Activation results in downloading the second stage of the attack-the "[hidden].dotm " file. Document in формате.docx received by the victim, uses the remote template injection technique (according to the MITRE ATT&CK classification, code T1221) to initiate the second stage of infection. This technique allows an attacker to inject malware into a document via a remote template. After opening and activating it документа.docx, hidden.dotm is automatically downloaded to your computer. . dotm is a Microsoft Word template that includes specific settings and macros. At the second stage of the attack, the macros themselves pose a threat. They perform two key functions: first, they run the library embedded in the document obtained in the first stage. Second, they copy it to a pre-determined location on the victim's hard drive. The final load is a DLL file that acts as a reverse shell that connects to the C2 server. It allows you to open ports on target devices, providing full control over them. The DLL is also capable of listing all directories on an infected system and uses sophisticated obfuscation and anti-detection techniques. The researchers found two malware samples dating back to mid-2022, which are also reverse shells pointing to the same IP address as the 2023 samples. Improvements to the tools used by this group indicate that it has been active for at least a year. However, the identities of the participants remain unknown. Given the high level of complexity of the techniques used by hackers, as well as the time frame of attacks, it can be concluded that the goal of the campaign was commercial cyber espionage. Most likely, they were trying to gather information about the internal structure and resources of the attacked organization in order to correctly calculate the ransom amount and identify leverage in the future. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
AeroBlade: Unknown spies targeted the US aerospace industry
Top