Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems.
The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
Analysts at Securonixdiscovered discovered the attacks but couldn’t attribute the campaign to any known threat actors, even though some similarities with past APT37 (Konni) attacks are mentioned in the report.
Targeting employees
The phishing email targeting employees includes a ZIP attachment that contains a shortcut file (“Company & Benefits.pdf.lnk”), which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.
Interestingly, the shortcut file doesn’t use the commonly abused “cmd.exe” or “powershell.exe” tools but instead relies on the unusual “C:WindowsSystem32ForFiles.exe” command to execute commands.
The next step is to unravel a seven-stage PowerShell execution chain characterized by heavy obfuscation that uses multiple techniques.
The obfuscation techniques seen by Securonix analysts are reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.
Additionally, the script scans for a list of processes linked to debugging and monitoring software, checks that the screen height is above 777 pixels and the memory is above 4GB to evade sandboxes, and verifies that the system was installed more than three days ago.
If any of these checks fails, the script will disable the system network adapters, configure the Windows Firewall to block all traffic, delete everything in all detected drives, and then shut down the computer.
The only case when the malware exits without causing any damage is when the system language is set to either Russian or Chinese.
If all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for “.lnk,” “.rar,” and “.exe” files and also for directories critical for the function of the malware.
Persistence is achieved through multiple methods, including adding new Registry keys, embedding the script into a scheduled task, adding a new entry on the Startup directory, and also WMI subscriptions.
After the PowerShell stager completes the process, an AES-encrypted final payload (“header.png”) is downloaded from the C2.
“While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis,” explains the researchers.
“Our attempts to decode the payload would only produce garbage data.”
C2 infrastructure
The analysts determined that the domains used for the C2 infrastructure supporting this campaign were registered in July 2022 and hosted on DigitalOcean.
Later, the threat actors moved the domains to Cloudflare to benefit from its CDN and security services, including IP address masking, geoblocking, and HTTPS/TLS encryption.
Some C2 domains mentioned in the report include “terma[.]wiki”, “terma[.]ink”, “terma[.]dev”, “terma[.]app”, and “cobham-satcom.onrender[.]com”.
All in all, this campaign looks like the work of a sophisticated threat actor who knows how to fly under the radar, so make sure to check hunting queries and shared IoCs in Securonix’s report.