Cybersecurity researchers at BlackBerry have discovered a new cyber espionage campaign targeting US organizations in the aerospace industry.
The goal of the campaign appears to be data theft and cyber espionage, although the threat actors' endgame remains a mystery. The researchers claim that the group is most likely brand new, so they named it AeroBlade.
This group carried out the attacks in two phases, with the first being more of a reconnaissance action and the second being actual data theft via malware.
Selling the data online
The attack starts with a spearphishing email, which contains a carefully crafted malicious DOCX file. This file, when opened, downloads a DOTM file from a remote location. If you're not familiar with the DOTM extension, it's a document template for Microsoft Word. This file can then run a macro that creates a reverse shell on the target endpoint. This shell will connect to the C2 server and wait for further instructions.
“Once the victim opens the file and runs it by manually clicking the 'Enable Content' decoy message, the (redacted) .dotm document discreetly spawns a new file on the system and opens it,” BlackBerry said in its report. report. “The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate.”
The first step, which reportedly took place in September last year, lists all directories on the compromised endpoint, providing the attackers with a map of the kingdom and thus simplifying the search for valuable data. The second phase, which took place in July this year, resulted in data theft.
The origin or endgame of Aeroblade remains a mystery. While cyber espionage campaigns can be highly disruptive, they can also be the work of a completely independent, profit-oriented threat actor, who will later attempt to sell the stolen data to the highest bidder on the dark web.
Through BleepingComputer