Press Center

Malware and antivirus software

News

Operation In(ter)ception: Starting with a LinkedIn message, threat actors went after both secret information and money

Created: 2020-06-17 12:27:03

ESET researchers have discovered an operation, with a possible link to the infamous Lazarus group, that used unconventional spearphishing and custom, multistage malware against aerospace and military companies.

BRATISLAVA – ESET researchers have discovered highly targeted cyberattacks that are notable for using LinkedIn-based spearphishing, employing effective tricks to stay under the radar and apparently having financial gain, in addition to espionage, as a goal.  The attacks, which ESET researchers dubbed Operation In(ter)ception based on a related malware sample named “Inception.dll,” took place from September to December 2019.

The attacks that ESET researchers investigated started with a LinkedIn message. “The message was a quite believable job offer, seemingly from a well-known company in a relevant sector. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious,” comments Dominik Breitenbacher, the ESET malware researcher who analyzed the malware and led the investigation.

The files were sent directly via LinkedIn messaging, or via email containing a OneDrive link. For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.

Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system.

Next, the attackers performed a series of steps that ESET researchers describe in their white paper “
Operation In(ter)ception: Targeted attacks against European aerospace and military companies.” Among the tools the attackers utilized was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools. In addition, they leveraged so-called “living off the land” tactics: abusing preinstalled Windows utilities to perform various malicious operations.

“The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to the infamous Lazarus group. However, neither the malware analysis nor the investigation allowed us to gain insight into what files the attackers were aiming for,” comments Breitenbacher.

Besides espionage, ESET researchers found evidence that the attackers attempted to use the compromised accounts to extract money from other companies.

Among the victim’s emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice – of course, to a bank account of their own. Fortunately, the victim company’s customer became suspicious and reached out to the victim for assistance, thwarting the attackers’ attempt to conduct a so-called business email compromise attack.“

This attempt to monetize the access to the victim’s network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees. Such education could help employees recognize even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception,” concludes Breitenbacher.

For more technical details about Operation In(ter)ception, read the full 
blogpost and white paper “Operation In(ter)ception: Targeted attacks against European aerospace and military companies” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.




About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.