New Threat Actor ‘AeroBlade’ Emerges in Espionage Attack on U.S. Aerospace

New Threat Actor 'AeroBlade' Emerges in Espionage Attack on U.S. Aerospace

December 5, 2023 at 03:12AM

A new cyber threat, AeroBlade, targeted a U.S. aerospace company in a suspected espionage attempt. The BlackBerry team identified the attack, which utilized spear-phishing, remote template injection, and a malicious VBA macro. Attacks started in September 2022 and became more stealthy over time, culminating in July 2023 with a reverse shell deployment for data reconnaissance. Anti-detection measures were also noted.

Key Takeaways from Meeting on Cyber Espionage / Threat Analysis (Dec 05, 2023):

1. A previously unknown cyber threat actor, named AeroBlade, has been identified as launching an attack on a U.S. aerospace organization.
2. The aim of the attack is speculated to be cyber espionage.
3. AeroBlade’s origins are not yet clear and it is also uncertain whether the attack was ultimately successful.
4. The BlackBerry Threat Research and Intelligence team is closely monitoring AeroBlade and reported on their findings last week.
5. The attack vector utilized by the adversary was spear-phishing, involving a weaponized document with a malicious VBA macro delivered via email.
6. The attack’s network infrastructure was set up around September 2022, and the offensive operations were launched in July 2023.
7. The operators refined their tools during the interim to enhance stealth capabilities.
8. The spear-phishing email attack initiated with a Microsoft Word document that, upon enabling macros by the victim, used remote template injection to execute a subsequent payload stage.
9. The payload involved the deployment of an obfuscated DLL which functions as a reverse shell to communicate with a C2 server and collect data from the infected system.
10. The attackers are capable of gathering intelligence such as a list of directories, possibly for reconnaissance to strategize future actions.
11. The DLL is heavily obfuscated, incorporates anti-analysis techniques, and avoids execution in sandboxed environments.
12. To maintain persistence, the attackers created a scheduled task (“WinUpdate2”) to run daily at 10:10 AM.
13. The threat actor has been described as highly dedicated in developing resources to secure and exfiltrate valuable information from targeted entities.
14. The article encourages readers to follow updates on Twitter and LinkedIn for more content on the subject.

Remember to follow up with security teams to ensure awareness and any necessary actions are taken regarding the AeroBlade threat. Consider reinforcing spear-phishing awareness and ensuring that macro security settings are properly configured organization-wide.

Full Article