"Researchers Uncover Covert Attack Campaign Targeting Military Contractors"

A new covert attack campaign used spear-phishing emails to target multiple military and weapons contractor companies, triggering a multi-stage infection process designed to deploy an unknown payload on compromised machines. Securonix dubbed the highly targeted intrusions "STEEP#MAVERICK." The campaign also targeted a strategic supplier to the F-35 Lightning II fighter aircraft. The attack occurred in late summer 2022 and targeted at least two high-profile military contractor companies, according to an analysis by Den Iuzvyk, Tim Peck, and Oleg Kolesnikov. The infection chain starts with a phishing email containing a ZIP archive attachment with a shortcut file claiming to be a PDF document about "Company & Benefits," which is then used to retrieve a stager. This initial binary is used to download the desired malware. When the final PowerShell script executes a remote payload "header.png" hosted on a server named "terma[.]app," this PowerShell stager sets the stage for a "robust chain of stagers" that progresses through seven more steps. The malware checks the amount of physical memory and terminates itself if it is less than 4GB. A check for virtualization infrastructure is also included in determining whether the malware is being executed in an analysis environment or sandbox. If this test fails, the malware disables system network adapters, reconfigures Windows Firewall to block all inbound and outbound traffic, recursively deletes data from all drives, and shuts down the computer. This article continues to discuss findings from the analysis of STEEP#MAVERICK attacks.

THN reports "Researchers Uncover Covert Attack Campaign Targeting Military Contractors"