December 4, 2023 at 04:47PM
A US aerospace company was the target of a yearlong cyberespionage campaign by a group named “AeroBlade.” Using phishing emails with Word documents, the attackers injected malicious templates to deploy a reverse shell, collecting data and ensuring persistence. Advanced stealth tactics allowed them to evade detection, suggesting a commercial espionage motive to gauge future ransom susceptibility.
Meeting Takeaways:
1. A US aerospace company was targeted in a near yearlong commercial cyberespionage campaign by a new threat actor named “AeroBlade.”
2. The campaign is thought to follow a conventional script including phishing attacks, template injection, and VBA macro code.
3. Despite its traditional methods, the campaign went undetected for a long time due to extensive anti-analysis protections.
4. The campaign had two phases: a testing phase in September 2022 and an execution phase in July 2023.
5. The success of the campaign and the nature of the potentially accessed data remain unknown.
6. The primary method of attack was through phishing emails with malicious Microsoft Word documents that encouraged users to enable macros to download a second-stage payload.
7. The payload was a DLL file establishing a reverse shell, collecting system information, and ensuring persistence via a daily scheduled task.
8. AeroBlade employed advanced stealth techniques in their payload to avoid detection, including checking for sandbox environments or antivirus software and obfuscating their malicious code.
9. The payload used complex coding techniques to conceal its activities, including custom encoding, API hashing, and anti-disassembly tactics.
10. Researchers have a high degree of confidence that the campaign’s purpose was to surveil the internal resources of the company, potentially setting the stage for a future ransom demand.