Unidentified Cybercriminals Attacked Military and Weapons Contractors

Most recently, Securonix analysts uncovered a number of information security incidents: according to researchers, cybercriminals attacked several military contractors, including a supplier of parts for the F-35 Lightning II fighter jet.

So far, security specialists have not been able to find out who is behind the cyber incidents, but only a slight resemblance to the APT37 attacks has been found from the clues.

Let me remind you that we also wrote that DoppelPaymer operators published in the public domain Boeing, Lockheed Martin, SpaceX and Tesla documents, and also that Lookout experts discovered a link between Chinese hackers and defense contractor.

However, it was still possible to restore the attack scenario. It all starts with a phishing email with a ZIP archive. After unpacking the archive, the victim finds an LNK file called “Company & Benefits.pdf.lnk”, which acts as a dropper that performs several functions:

1. Connection to the C&C server of intruders;
2. Running PowerShell scripts that infect the victim’s system with malware.

Interestingly, the LNK file does not use “cmd.exe” or “powershell.exe” to run scripts, but rather the unusual command “C:\Windows\System32\ForFiles.exe”.

Having dealt with the attack scenario, the experts began to unravel the chain of execution of the PowerShell script, which consists of seven steps, each of which is heavily obfuscated. In addition, the script checks the list of processes associated with debugging and monitoring programs, bypasses the sandbox (checks that the screen height is at least 777 pixels and the amount of RAM is greater than 4 GB), and tracks the system installation date (it must be installed on the device for more than three days).

If any of these checks fail, the script disables the system’s network adapters, configures Windows Firewall to block all traffic, deletes all data from any drives it finds, and then shuts down the computer.

However, the malware can exit the system without causing any harm if the system language is set to Russian or Chinese.

If all checks are passed, the script disables the Windows PowerShell event log and adds Windows Defender exclusions for “.lnk”, “.rar” and “.exe” files, as well as for directories necessary for the malware to work.

To gain a foothold in the system, the malware adds new registry keys, embeds its code into scheduled tasks, and adds itself to autorun.

Once the PowerShell script has done all its work, the final payload, the “header.png” file, is downloaded from the C&C server. The experts wanted to analyse this file, but were unable to decode it. In their opinion, he was replaced after the end of the campaign to prevent further analysis.