Security threats have been found impersonating the human resource employees from Collins Aerospace and General Dynamics in a spear-phishing move, by using LinkedIn messaging. The fake human resource employees sent job-seeking individuals fraudulent offers that were filled with malicious documents, to deliver exfiltration malware.
The attacks took place between September and December 2019 and have since been dubbed ‘Operation In(ter)ception.’ They were targeting individuals who work in the European and Middle East aerospace and military companies.
The victims of the operation received job offers, sent using LinkedIn messages. The offers claimed to be from well-known and credible companies in sectors relevant to the job seekers. Some of the companies included Collins Aerospace, a major supplier of defense and aerospace products, and General Dynamics.
A very sneaky approach
Usually, the document with the job offer came in the form of a password-protected RAR archive with an LNK file. Once the victims opened the file, they would get salary information related to the job. However, this PDF document was just a decoy.
Once they opened the PDF, a Command Prompt utility would initiate a scheduled task that would execute a remote XSL script. The script downloaded base64-encoded payloads which it then decoded using certutil, which is a command-line program, which is used in displaying certification authority (CA), backup and restore CA and verify the certificates.
Rundll32, which is used to run 32-bit dynamic-links libraries, would download and run a PowerShell DLL.
LinkedIn has not found evidence that connects the attacks to a specific group or an individual. However, there are similarities in the attacks’ targeting, development, and anti-analysis technique, that could point to the Lazarus Group. This suggestion comes from Paul Rockwell, head of trust and safety at LinkedIn.
Their team has been removing fake accounts using the information found so far. If you work in the targeted industries, please be aware.