Human Resource executives from Collins aerospace were targeted in a spear-phishing campaign through LinkedIn messaging service by offering them attractive salaries and positions
Human Resource executives from Collins aerospace were targeted in a spear-phishing campaign through LinkedIn messaging service by offering them attractive salaries and positions.
The attack took place from September to December 2019, naming as “Operation In(ter)ception” targeting victims at European and Middle East aerospace and military companies.
The technique of attack involves the attackers contacting the executives via LinkedIn posing as recruiters. A job offer letter from a “well-known company in a relevant sector”.
These included Collins Aerospace (formerly Rockwell Collins), a major U.S. supplier of aerospace and Defense products, and General Dynamics, another large U.S.- based corporation.
The offer letter contained an OneDrive link which contained a PDF document with salary information related to the fake job offer.
“The malware was silently deployed on the victim’s computer giving the attacker an initial foothold and reached a solid persistence on the system,” said ESET malware researcher Dominick Breitenbacher.
The PDF file was a pitfall, which captioned positions with expected salaries. The executable provides the ability to schedule tasks on the victim's computer at a predefined time, with a Windows component called Task Scheduler.
The scheduled task was set to execute Extensible Stylesheet Language files, that are commonly used for processing data within XML files. This malicious payload is used by the attacker to connect to an external server and is able to download and execute arbitrary content.
“This can be very useful in an enterprise setup, but is also a common technique used by threat groups to ensure their malicious payload is run periodically once it is installed,” he said.
The offer letter was too good and password protected that it cannot be tracked out easily as a fraud.
The conversation would start in a friendly way and would pressure the executives to rapidly answer more and more questions including what system the executive was using in order to determine configurations.
The threat actors performed very carefully and cleaned up their traces when moving from one system to another. As soon as the operation is done the attackers remove the LinkedIn profiles.
“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using the information we uncover and intelligence from a variety of sources, including government agencies,” said Pauk Rockwell, head of Trust and Safety at LinkedIn.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: Private Zoom Video Recordings Exposed Online