AeroBlade on the Hunt Targeting the U.S. Aerospace Industry

MITRE Techniques

• [T1566.001] Spearphishing Attachment – Delivered via targeted email with a weaponized Word document containing an embedded remote template injection and malicious VBA macro code. “The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution.”
• [T1221] Remote Template Injection – The docx document employs remote template injection to download the second stage of the infection. “The docx document employs remote template injection, MITRE ATT&CK technique T1221, to download the second stage of the infection.”
• [T1204.002] User Execution: Malicious File – User opens the document and is prompted to enable content, triggering execution. “The document displays text in a deliberately scrambled font, along with a ‘lure’ message asking the potential victim to click it to enable the content in MS Office.”
• [T1059.005] Visual Basic – The attack relies on a malicious macro; the second-stage macro runs a library included in the first-stage document. “The second-stage macro also copies the OLE document… to a hard-coded file name at a specific path.”
• [T1106] Native API – The final payload uses API hashing and anti-analysis techniques to hide Windows API usage. “API hashing to hide its usage of Windows functions; The hash function used is Murmur.”
• [T1059.003] Windows Command Shell – The reverse shell is created via cmd.exe with a pipe and CreateProcessW. “cmd.exe” and associated GetStdHandle/CreatePipe/CreateProcessW sequence are used to spawn the reverse shell.
• [T1203] Exploitation for Client Execution – The final payload is a DLL that executes to enable persistence and remote control via C2. “The final payload is a DLL that acts as a reverse shell that connects to a hard-coded C2 server.”
• [T1071.001] Web Protocols – C2 communications occur over port 443 to a fixed C2 host. “The C2 server IP address is the same… connects to the C2 server, transmitting all its collected information, and spawning a reverse shell, while also sending a list of directories.”
• [T1105] Ingress Tool Transfer – The second stage is downloaded as part of the infection chain. “The next-stage information is saved in an XML… a… .dotm file downloads the second-stage document.”
• [T1041] Exfiltration – Data is transmitted to the C2, including system information and directory lists. “transmitting all its collected information, and spawning a reverse shell, while also sending a list of directories found on the infected system.”
• [T1083] File and Directory Discovery – The payload can list directories on the infected system. “lists all directories found on the now-infected system.”
• [T1082] System Information Discovery – The malware collects system information from the infected machine. “Collects system information from the infected machine.”
• [T1033] Account Discovery – The sample captures username information via GetUserNameA() and computer name via GetComputerNameA(). “username using GetUserNameA()” and “computer name using GetComputerNameA()”
• [T1016] System Network Configuration Discovery – The malware gathers IPs and MACs via GetAdaptersInfo(). “IPV4 addresses using GetAdaptersInfo()” and “MAC addresses using GetAdaptersInfo()”
• [T1053.005] Scheduled Task – Persistence via Windows Task Scheduler with a daily task named WinUpdate2. “Persistence is achieved via Windows Task Scheduler… WinUpdate2”
• [T1140] Deobfuscate/Decode Files or Information – Static configuration is AES encrypted. “Static configuration is AES encrypted…”
• [T1027] Obfuscated/Compressed Files and Information – The executable is heavily obfuscated to impede analysis. “heavily obfuscated executable which implements complex techniques… anti-disassembly”