SECURITY SOLUTIONS TODAY03 Oct 2022
Securonix Detects New Covert Attack Campaign Targeting Military Contractors

Securonix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mainly employed the use of PowerShell, and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code.

Additionally, the remote infrastructure or command and control (C2) involved with the stager was relatively sophisticated. 

Target Analysis and Attack Chain

The attack was carried out starting in late summer 2022, targeting at least two high-profile military contractor companies.

The overall attack chain can be seen in figure 1 on slide 2, which highlights the initial compromise phase of the attack.

Figure 1: Attack Chain (Slide 2)

Initial Infection: Shortcut to Code Execution

As with a lot of targeted campaigns, the initial infection begins with a phishing email sent to the target containing a malicious attachment. Similar to that of the STIFF#BIZON campaign reported earlier this year, the phishing email contains a compressed file containing a shortcut file, in this case, “Company & Benefits.lnk.”

Figure 2: Company & Benefits.pdf.lnk (Slide 3)

The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling for files rather than cmd.exe or powershell.exe.

It then takes the powershell.exe executable file, copies it to C:Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string. Logs generated from Sysinternals Sysmon identify this in figure 3 on slide 4.

Figure 3: Windows logs showing renamed PowerShell.exe (Slide 4)

The rest of the PowerShell script runs on a loop with a 120-second timeout or until an error is not produced. C2 communication is attempted at the URL: hxxps://terma[.]dev/0 to pull down the initial stager.

Conclusion

Overall, it is clear that this attack was relatively sophisticated, with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis, such as leveraging the PowerShell Get-Alias command to perform an invoke expression.

Leveraging the registry, WMI subscriptions, scheduled tasks, and incorporating Lolbins with the process was overall clever and needs to be monitored. While this was a very targeted attack, the tactics and techniques used are well-known, and it is important to stay vigilant. 

Securonix Recommendations and Mitigations

  • Avoid downloading unknown email attachments/link files from non-trusted sources.
  • Deploy PowerShell script block logging to assist in detections.
  • Deploy additional process-level logging, such as Sysmon, for additional log coverage. Additionally, Sysmon installed on the host will prevent next-stage payload execution.
  • Pay specific attention to attempts to disable security monitoring tools, including SIEM.
  • Scan endpoints using the Securonix seeder hunting queries below.

MITRE ATT&CK Techniques

Tactics

Techniques

Initial Access T1566: Phishing
Defence Evasion

T1027: Obfuscated Files or Information

T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution

T1005: Data from Local System
T1562.001: Impair Defences: Disable or Modify Tools

T1112: Modify Registry

Execution T1059.001: Command and Scripting Interpreter: PowerShell
T1047: Windows Management Instrumentation
Persistence T1547: Boot or Logon Autostart Execution
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled TaskT1546.003: Event-Triggered Execution: Windows Management Instrumentation Event Subscription