Securonix Threat Labs uncovered a covert campaign targeting military contractors, leveraging sophisticated PowerShell-based stagers, multi-layer obfuscation, and robust C2 infrastructure. The attackers used spearphishing with a .lnk shortcut, extensive anti-analysis/anti-forensics, and multiple persistence methods to maintain foothold while evading defenses. #SteepMaverick #CobhamSatcom #F35
Keypoints
- Spearphishing was the primary initial access method, delivering a malicious attachment containing a shortcut file (Company & Benefits.lnk).
- The initial infection triggers a PowerShell-based stager chain, with eight heavily obfuscated stages loaded from a remote C2.
- The malware employs AMSI evasion, counter-forensics, and anti-analysis checks to hinder security tooling and analysis.
- Persistence is achieved via registry embedding, WMI event subscriptions, scheduled tasks, startup shortcuts, and Lolbins to spawn processes.
- Defense evasion includes Defender bypass (MpCmdRun), firewall exclusions, and logging suppression (Event Tracing/Script Block Logging).
- Command and control is maintained through multiple terma subdomains and Cloudflare CDN to mask infrastructure (terma.dev, terma.app, etc.).
- The final payload is an AES-encrypted file downloaded from the C2, decrypted and executed via obfuscated PowerShell, with a portion of the payload potentially replacing itself on the server.
MITRE Techniques
- [T1566] Phishing – Initial access via spearphishing with a malicious .lnk attachment: “phishing email contains a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.”
- [T1027] Obfuscated Files or Information – The stager chain is “very heavily obfuscated” across eight layers; obfuscation is used extensively.
- [T1140] Deobfuscate/Decode Files or Information – Layers include deobfuscation steps as the payload unfolds.
- [T1202] Indirect Command Execution – Use of PowerShell and indirect invocation patterns during staged execution (e.g., PowerShell IEX to remote C2).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Core execution method for loader and stagers.
- [T1047] Windows Management Instrumentation – Used to obtain system information and support execution/persistence flows.
- [T1112] Modify Registry – Registry persistence is employed to embed malicious scripts for startup execution.
- [T1547] Boot or Logon Autostart Execution – Registry persistence and startup shortcut techniques for persistence.
- [T1053] Scheduled Task/Job – Scheduled tasks are created for persistence (e.g., MicrosoftEdgeUpdateTaskMachine_System/User).
- [T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription – WMI-based persistence via event subscriptions.
Indicators of Compromise
- [Domains] terma.dev, terma.app – and other related domains such as terma.icu, terma.vip, terma.wiki, terma.pics, terma.lol, terma.ink, onrender.com, cobham-satcom.onrender.com
- [IP Addresses] 199.53.243 and 227.139.39
- [Registry keys] HKLM:SoftwareClassesms-officesShellOpencommand; HKCU:SoftwareClassesAppX82a6gwre4fdg3bt635tn5ctqjf8msdd2Shellopencommand
- [File Hashes] s – Da0888f06b2e690a3a4f52f3b04131f7a181c12c3cb8e6861fc67ff062beef37; w – Da0888f06b2e690a3a4f52f3b04131f7a181c12c3cb8e6861fc67ff062beef37; png – 691c0a362337f37cf6d92b7a80d7c6407c433f1b476406236e565c6ade1c5e87