New AeroBlade Hackers Target Aerospace Sector in the U.S.

Cyber Security Threat Summary:
Cyber security firm Blackberry has uncovered a campaign targeting an aerospace organization in the United States. Researchers are tracking the actors behind this campaign as ‘AeroBlade.” Based on the observed attack, the actors used spear-phishing as their delivery mechanism, where they employed a weaponized document, sent as an email attachment. This document if manually executed by the end user would employ a remote template injection technique to download the second stage payload, which in turn would be responsible for executing the final payload. In this case, the final payload is a malicious DLL that acts as a reverse shell that connects to a hard-coded C2 server to transmit information to the actors.

Security Officer Comments:
Researchers note that the campaign was conducted in two phases, with the initial attack commencing in September 2022 and the second attack occurring in July 2023. The first attack has been described as a testing phase with the actors launching their offensive phase nearly a year after. Although both attacks used the same infrastructure and a reverse shell as the final payload, the final payload deployed in the 2023 attack is a lot stealthier and uses more obfuscation and anti-analysis techniques. The end goal of this campaign is to conduct cyber espionage. Given the timeframe of the two attacks, researchers stated that the actors were busy developing additional resources to ensure that they could secure access to the sought-after information and that they could exfiltrate it successfully.

Suggested Correction(s):
With spear-phishing being the initial infection vector for this campaign, organizations should train employees on how to detect and avoid phishing emails to safeguard against potential attacks.