Over the past year, a previously unknown threat actor has been observed launching cyberattacks against an aerospace organization in the United States, cybersecurity firm BlackBerry reports.
Dubbed AeroBlade, the adversary first targeted the organization in September 2022, as part of a ‘testing phase’, and then again in July 2023, with updated tools.
Apparently focused on cyberespionage, the two campaigns used lure documents named the same, delivered a reverse shell as the final payload, and used the same IP address for the command-and-control (C&C) server.
The second attack, however, was stealthier and employed additional evasion techniques, with the final payload including more capabilities.
According to BlackBerry, in both attacks, the attack vector was a spear-phishing email carrying a malicious Word document. When opened, the document employed a remote template injection to fetch a second stage that executed an XML file to create a reverse shell.
The initial document would display a scrambled text to the intended victim, luring them into clicking the ‘Enable Content’ button to download the second stage and trigger the infection chain.
The second stage would display readable text to the victim, making them believe that the document was legitimate. However, it also ran a macro that executed a library from the first-stage document that acted as a reverse shell and connected to a hardcoded C&C.
A heavily obfuscated executable, the library can list all directories on the system, evade sandboxes and antivirus emulators, achieve persistence, and send information to a remote server.
“Based on the content of the lure message, an aerospace company in the United States was the intended target for both campaigns. The development of this threat group’s toolkit indicates that the operator has been active for at least one year. Exactly who is behind these two campaigns remains unknown,” BlackBerry notes.
The cybersecurity firm is highly confident that the purpose of the attacks was commercial cyberespionage, with the intent of gaining visibility into the victim’s internal network to “weigh its susceptibility to a future ransom demand”.
“Based on the threat actor’s operations timelines — September 2022 and then July 2023 — we can surmise that this shows the group’s interest in the target remained consistent between the first and second campaign, as evidenced by the increased complexity of the second campaign compared to the first,” BlackBerry concludes.