A cyber espionage operation used fake job offers, sent via LinkedIn messages, to target employees at aerospace and military companies in Europe and the Middle East late last year, researchers from ESET have reported.
The highly targeted campaign -- dubbed Operation In(ter)ception (an allusion to one malware sample's file name) -- took place from September to December 2019, according to a company blog post and corresponding white paper by ESET researchers Dominik Breitenbacher and Kaspars Osis. Its primarily purpose was data gathering and exfiltration via a custom build of dbxcli, an open-source command-line client for Dropbox. However, researchers observed at least one case where the attackers launched a Business Email Compromise scam against one victimized company's business partner.
To trick prospective victims, the attackers created fraudulent LinkedIn accounts impersonating human resources or hiring managers from various aerospace and defense companies, including Collins Aerospace and General Dynamic, ESET explains. Then they used LinkedIn's messaging feature to reach out to targeted employees and offer an employment opportunity, in hopes of getting them to open a malicious file sent either directly through LinkedIn or via a combination of email and OneDrive.
While the victim views a decoy document that supposedly contains details on the job offer, the multi-stage malware commences its infection chain process, which relies on a variety of modified open-source tools as well as legitimate tools, OS functions and living-off-the-land techniques to gain a foothold into the victim's network.
“The message was a quite believable job offer, seemingly from a well-known company in a relevant sector. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious,” said Breitenbacher in a company press release.
Key malware components included a stage-one custom downloader, a stage-two custom backdoor, a modified version of PowerShdll tool, custom DLL loaders, a beaconing DLL and the aforementioned build of dbxcli. Meanwhile, the malware abuses the Windows utilities WMIC, certutil , the rundll32 and regsvr32.
To avoid suspicion, the In(ter)ception actors disguised their files and folders with names that were intended to look as if they came from legitimate companies like Intel and Mozilla, ESET reports. They also renamed the utilities they abused, digitally signed certain malware components, employed recompiling techniques, and implemented control-flow flattening and dynamic API loading to thwart analysis.
ESET has loosely tied In(ter)ception to the reputed North Korean state-sponsored APT actor Lazarus Group (aka Hidden Cobra), because the operation's choice of targeting, use of fake LinkedIn accounts, development environment, and anti-analysis techniques match past behavior of the group. However, there is no conclusive evidence to confirm this theory.
It is not known precisely what data the attackers were trying to acquire from their victims. In the case of the BEC scam, the adversaries impersonated one of their targets, sending an email with a fake invoice to one of the victim's customers, hoping to persuade the recipient to route a bank payment to the attackers' account. The ruse was exposed, however, when the customer emailed back the legitimate target company instead of the attackers.