European Aerospace and military companies in Europe and the Middle East are the prime targets of hackers using the social media platform LinkedIn to conduct a spear phishing surveillance and money stealing operation, a new research report said.
ESET researchers, who discovered the scheme, have tagged it Operation In(ter)ception, riffing off a related malware sample name “inception.dll” in a campaign that ran for three months starting in September 2019. Espionage appears to be the digital miscreant’s main objective but some attempts to use business email compromise (BEC) suggests the hackers also pursued financial gain.
Victims were lured in with a LinkedIn post that offered believable but bogus jobs offered by well-known companies of interest to the viewer. Profiles impersonating U.S. corporations Collins Aerospace and General Dynamics were mentioned in the posts, the Slovakia-based internet security provider said.
Once the attackers piqued the targets’ curiosity, they inserted malicious files disguised as documents germane to the job offer into the exchange, ESET malware researcher Dominik Breitenbacher said in a blog post. “Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools,” he wrote. In addition to malware, the attackers used legitimate tools and operating system functions as well code signing and impersonating legitimate software and companies to avoid detection.
ESET’s researchers suspected the notorious North Korea-tied Lazarus group could be linked to the maneuvers. “The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to the infamous Lazarus group,” Breitenbacher said, including similarities in targeting, development environment, and anti-analysis techniques used. “However, neither the malware analysis nor the investigation allowed us to gain insight into what files the attackers were aiming for.”
Lazarus has a colorful and allegedly lucrative history. In November, 2018, Symantec said it had uncovered previously unknown malware behind dozens of large cyber robberies on automated teller machines linked to the state sponsored hackers.
At this point, the Operation In(ter)ception hackers’ true intent is not clear. Evidence that the hackers tried to steal money with BEC slights-of-hand has surfaced with one exchange between a victim and the crew containing a reference to an unpaid invoice, a favorite tactic of such trickery. In that case, the intended victim was able to sniff out the smokescreen. “This attempt to monetize the access to the victim’s network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees,” Breitenbacher said. “Such education could help employees recognize even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception.”
The LinkedIn-using hackers aren’t the only bad actors ESET has uncloaked. Its tracking of the InvisiMole group, a cyber espionage crew which ESET first reported on in 2018, yielded a new campaign targeting high-profile organizations in Eastern Europe and a more complete view of how the group infiltrates networks.
InvisiMole has been active since 2013 in targeted cyber espionage invasions in Russia and Ukraine. Its specialty is using “feature-rich” backdoors to spy on its victims, ESET researcher Zuzana Hromcová said in a blog post. But ESET didn’t have the whole picture of how InvisiMole operated. “Back then, we found these surprisingly well-equipped backdoors, but a large part of the picture was missing – we didn’t know how they were delivered, spread and installed on the system,” she said.
ESET’s recent discovery tied InvisiMole to Gamaredon, a threat group whose malware functions as a network door opener for InvisiMole. In a complex, multi-stage attack, InvisiMole’s malware is only released after [Gamaredon] has already infiltrated the network of interest, Hromcová said. “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware,” she said.