Securonix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code.
Additionally, the remote infrastructure or command and control (C2) involved with the stager was relatively sophisticated.
Target Analysis and Attack Chain
The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies.
The overall attack chain can be seen in the figure 1 below which highlights the initial compromise phase of the attack.
Figure 1: Attack Chain
Initial Infection: Shortcut to Code Execution
As with a lot of targeted campaigns, initial infection begins with a phishing email sent to the target containing a malicious attachment. Similar to that of the STIFF#BIZON campaign reported earlier this year, the phishing email contains a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.
Figure 2: Company & Benefits.pdf.lnk
The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe.
It then takes the powershell.exe executable file and then copies it to C:\Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string. Logs generated from Sysinternals Sysmon identify this in figure 3 below.
Figure 3: Windows logs showing renamed PowerShell.exe
The rest of the powershell script runs on a loop with a 120 second timeout or until an error is not produced. C2 communication is attempted at the URL: hxxps://terma[.]dev/0 to pull down the initial stager.
Conclusion
Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis such as leveraging the PowerShell Get-Alias commandlet to perform an invoke expression.
Leveraging the registry, WMI subscriptions, scheduled tasks, and incorporating Lolbins with the process was overall clever and needs to be monitored for. While this was a very targeted attack, the tactics and techniques used are well known and it is important to stay vigilant.
Securonix Recommendations and Mitigations
Avoid downloading unknown email attachments / lnk files from non-trusted sources
Deploy PowerShell script block logging to assist in detections
Deploy additional process-level logging such as Sysmon for additional log coverage. Additionally sysmon installed on the host will prevent next stage payload execution
Pay specific attention to attempts to disable security monitoring tools, including SIEM
Scan endpoints using the Securonix seeder hunting queries below
MITRE ATT&CK Techniques
Tactics |
Techniques |
Initial Access |
T1566: Phishing |
Defense Evasion |
T1027: Obfuscated Files or Information |
Execution |
T1059.001: Command and Scripting Interpreter: PowerShell |
Persistence |
T1547: Boot or Logon Autostart Execution |