Cybersecurity researchers from BlackBerry have uncovered a new cyber-espionage campaign targeting US organizations in the aerospace industry.
The goal of the campaign seems to be data theft and cyber-espionage, although the threat actors’ endgame remains a mystery. The researchers claim the group is most likely brand new, so they named it AeroBlade.
This group mounted attacks in two stages, the first being more of a reconnaissance move, and the second one being the actual data theft via malware.
Selling the data online
The attack starts with a spear-phishing email, containing a carefully crafted, malicious DOCX file. This file, if opened, downloads a DOTM file from a remote location. If you’re unfamiliar with the DOTM extension, it’s a document template for Microsoft Word. This file can then execute a macro which creates a reverse shell on the target endpoint. This shell will connect with the C2 server and await further instructions.
“Once the victim opens the file and executes it by manually clicking the “Enable Content” lure message, the [redacted].dotm document discretely drops a new file to the system and opens it,” BlackBerry said in its report. “The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate.”
The first step, which was observed to have taken place in September last year, lists all directories on the compromised endpoint, giving the attackers a map of the kingdom and thus simplifying the search for valuable data. The second stage, which took place in July this year, resulted in data theft.
Aeroblade’s origin, or endgame, remain a mystery. While cyber-espionage campaigns can be highly disruptive, this could also be the work of an entirely independent, profit-oriented threat actor, who will later try to sell the stolen data on the dark web to the highest bidder.
Via BleepingComputer
