'AeroBlade' Group Hacks US Aerospace Company

A US aerospace company was recently subjected to a nearly yearlong commercial cyberespionage campaign, carried out by a seemingly new threat actor researchers have named "AeroBlade."

Unlike the high-stakes aerospace espionage carried out by major nation-state and ransomware groups in recent years, this latest bout, documented last week by Blackberry, follows a characteristically old script: a phishing bait-and-switch, template injection, VBA macro code, and so on.

Though old hat, the campaign — split into a testing (September 2022) and execution phase (July 2023) — managed to remain undetected for the better part of a year thanks to thorough anti-analysis protections.

The ultimate success of the campaign, and the nature of any data which might have been accessed, is not yet known.

Aerospace Espionage, via Word

The two attacks began, as so many before it have, with lure documents encased in phishing emails.

Once clicked, the attachments revealed Microsoft Word documents with scrambled text. The documents also contained a suspicious header: "SOMETHING WENT WRONG Enable Content to load the document."

Mimicking the macros notifications of old, the false flag lured victims into clicking and, unwittingly, retrieving and executing a malicious Microsoft Word template (DOTM) file. Injected in the template was a legible decoy document, as well as the instructions for a second-stage infection.

The final payload at the end of this chain was a dynamic link library (DLL) file acting as a reverse shell. The payload collected and exfiltrated system information and directories, and established persistence by creating a task in Windows Task Scheduler, to trigger every morning at 10:10 AM local time.

Developing Stealth Techniques

After its initial "test" attack, AeroBlade returned for real with a series of more advanced stealth techniques built into its payload.

The group's staying power may be at least partly attributed to how careful it was in, for example, diligently checking for characteristic signs of a sandbox environment or antivirus software, and also the many ways in which it obfuscated its malicious code.

For example, the executable used custom encoding for each string, and API hashing with MurmurHash to conceal how it used Windows functions. It also came fitted with a number of anti-disassembly techniques including control flow obfuscation, splicing data into code, and using dead-code executed instructions — code which gets executed, but whose result has no bearing on the rest of the program — to throw off analysts.

Given all of the facts of the case, the researchers concluded "with a high degree of confidence that this was a commercial cyberespionage campaign. Its purpose was most likely to gain visibility over the internal resources of its target in order to weigh its susceptibility to a future ransom demand."