Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Threat Actor ‘AeroBlade’ Targeted US Aerospace Firm in Espionage Campaign

BlackBerry attributes cyberattack against an aerospace organization in the US to a new threat actor named AeroBlade.

Over the past year, a previously unknown threat actor has been observed launching cyberattacks against an aerospace organization in the United States, cybersecurity firm BlackBerry reports.

Dubbed AeroBlade, the adversary first targeted the organization in September 2022, as part of a ‘testing phase’, and then again in July 2023, with updated tools.

Apparently focused on cyberespionage, the two campaigns used lure documents named the same, delivered a reverse shell as the final payload, and used the same IP address for the command-and-control (C&C) server.

The second attack, however, was stealthier and employed additional evasion techniques, with the final payload including more capabilities.

According to BlackBerry, in both attacks, the attack vector was a spear-phishing email carrying a malicious Word document. When opened, the document employed a remote template injection to fetch a second stage that executed an XML file to create a reverse shell.

The initial document would display a scrambled text to the intended victim, luring them into clicking the ‘Enable Content’ button to download the second stage and trigger the infection chain.

The second stage would display readable text to the victim, making them believe that the document was legitimate. However, it also ran a macro that executed a library from the first-stage document that acted as a reverse shell and connected to a hardcoded C&C.

A heavily obfuscated executable, the library can list all directories on the system, evade sandboxes and antivirus emulators, achieve persistence, and send information to a remote server.

Advertisement. Scroll to continue reading.

“Based on the content of the lure message, an aerospace company in the United States was the intended target for both campaigns. The development of this threat group’s toolkit indicates that the operator has been active for at least one year. Exactly who is behind these two campaigns remains unknown,” BlackBerry notes.

The cybersecurity firm is highly confident that the purpose of the attacks was commercial cyberespionage, with the intent of gaining visibility into the victim’s internal network to “weigh its susceptibility to a future ransom demand”.

“Based on the threat actor’s operations timelines — September 2022 and then July 2023 — we can surmise that this shows the group’s interest in the target remained consistent between the first and second campaign, as evidenced by the increased complexity of the second campaign compared to the first,” BlackBerry concludes.

Related: In Other News: Utilities Targeted by Hackers, Aerospace Attacks, Killnet Leader Unmasked

Related: Facebook: Iranian Hackers Target Military, Aerospace Entities in the US

Related: Aerospace, Military Hit in Ongoing Espionage Campaign Linked to North Korea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.