Operation In(ter)ception: Targeted attacks against European aerospace and military companies

ESET researchers have discovered an operation, with a possible link to the infamous Lazarus group, that used unconventional spearphishing and custom, multistage malware against aerospace and military companies.

ESET researchers have discovered highly targeted cyberattacks that are notable for using LinkedIn-based spearphishing, employing effective tricks to stay under the radar and apparently having financial gain, in addition to espionage, as a goal.  The attacks, which ESET researchers dubbed Operation In(ter)ception based on a related malware sample named “Inception.dll,” took place from September to December 2019.

The attacks that ESET researchers investigated started with a LinkedIn message. “The message was a quite believable job offer, seemingly from a well-known company in a relevant sector. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious,” comments Dominik Breitenbacher, the ESET malware researcher who analyzed the malware and led the investigation.

The files were sent directly via LinkedIn messaging, or via email containing a OneDrive link. For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.

Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system.

Next, the attackers performed a series of steps that ESET researchers describe in this white paper.

INTRODUCTION

At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East.Following our discovery, we carried out a collaborative investigation with two of the affected European companies.

The attacks, which we dubbed Operation In(ter)ception based on a related malware sample named “Inception.dll”, took place from September to December 2019.They were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware.To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities and impersonated legitimate software and companies.To our knowledge, the custom malware used in Operation In(ter)ception hasn’t been previously documented.

According to our investigation, the primary goal of the operation was espionage.However, in one of the cases we investigated, the attackers tried to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

While we did not find strong evidence connecting the attacks to a known threat actor, we did discover several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used. In this white paper, we will offer insight into the modus operandi of the attackers and provide a technical analysis of the malware used in the attacks.