Researchers Uncover Covert Attack Campaign Targeting Military Contractors

A
new
covert
attack
campaign
singled
out
multiple
military
and
weapons
contractor
companies
with
spear-phishing
emails
to
trigger
a
multi-stage
infection
process
designed
to
deploy
an
unknown
payload
on
compromised
machines.

The
highly-targeted
intrusions,
dubbed

STEEP#MAVERICK

by
Securonix,
also
targeted
a
strategic
supplier
to
the
F-35
Lightning
II
fighter
aircraft.

“The
attack
was
carried
out
starting
in
late
summer
2022
targeting
at
least
two
high-profile
military
contractor
companies,”
Den
Iuzvyk,
Tim
Peck,
and
Oleg
Kolesnikov

said

in
an
analysis.

Infection
chains
begin
with
a
phishing
mail
with
a
ZIP
archive
attachment
containing
a
shortcut
file
that
claims
to
be
a
PDF
document
about “Company
&
Benefits,”
which
is
then
used
to
retrieve
a
stager

an
initial
binary
that’s
used
to
download
the
desired
malware

from
a
remote
server.

This
PowerShell
stager
sets
the
stage
for
a “robust
chain
of
stagers”
that
progresses
through
seven
more
steps,
when
the
final
PowerShell
script
executes
a
remote
payload “header.png”
hosted
on
a
server
named “terma[.]app.”

“While
we
were
able
to
download
and
analyze
the
header.png
file,
we
were
not
able
to
decode
it
as
we
believe
the
campaign
was
completed
and
our
theory
is
that
the
file
was
replaced
in
order
to
prevent
further
analysis,”
the
researchers
explained.

“Our
attempts
to
decode
the
payload
would
only
produce
garbage
data.”

What’s
notable
about
the
modus
operandi
is
the
incorporation
of
obfuscated
code
designed
to
thwart
analysis,
in
addition
to
scanning
for
the
presence
of
debugging
software
and
halt
the
execution
if
the
system
language
is
set
to
Chinese
or
Russian.

The
malware
is
also
designed
to
verify
the
amount
of
physical
memory,
and
once
again
terminate
itself
if
it’s
less
than
4GB.
Also
included
is
a

check

for
virtualization
infrastructure
to
determine
if
the
malware
is
being
executed
in
an
analysis
environment
or
sandbox.

But
if
this
test
fails,
rather
than
simply
quitting
the
execution,
the
malware
disables
system
network
adapters,
reconfigures
Windows
Firewall
to
block
all
inbound
and
outbound
traffic,
recursively
deletes
data
in
all
drives,
and
shuts
down
the
computer.

Should
all
these
checks
pass,
the
PowerShell
stager
proceeds
to
disable
logging,
add
Windows
Defender
exclusions
for
LNK,
RAR,
and
EXE
files,
and
establish
persistence
via
a
scheduled
task
or
Windows
Registry
modifications.

“Overall,
it
is
clear
that
this
attack
was
relatively
sophisticated
with
the
malicious
threat
actor
paying
specific
attention
to
opsec,”
the
researchers
noted. “While
this
was
a
very
targeted
attack,
the
tactics
and
techniques
used
are
well
known
and
it
is
important
to
stay
vigilant.”

Leave a Reply

Your email address will not be published. Required fields are marked *