A covert cyber espionage campaign led by AeroBlade hackers currently targets the United States’ aerospace sector. This group is relatively new in the cybercriminal landscape, so its attacks remain a mystery for researchers.
Based on reports, this new operation has two planned phases, with a trial run in September last year and a more advanced campaign last July. AeroBlade’s modus operandi involves spear-phishing tactics that use weaponised documents to infiltrate corporate networks, deploying a reverse-shell payload that could breach and run meticulous file listing and data theft.
Further research also suggests that AeroBlade’s primary objective is commercial cyber espionage to gather invaluable information from the aerospace sector. The first wave of attacks occurred in September 2022.
The AeroBlade hackers started to do test runs on their targets last year.
Last year, the AeroBlade hackers utilised phishing emails that hosted a malicious document (docx) that contained remote template injection for downloading a second-stage DOTM file.
Once activated, the malicious macros in the DOTM file create a reverse shell on the target’s system to create a link to its operators’ command and control server. The investigation also explained that the attack wanted its victims to believe they downloaded legitimate documents.
However, these documents include a heavily obfuscated DLL, a reverse shell payload with sophisticated anti-analysis mechanisms like sandbox detection, custom string encoding, disassembly protection, and API hashing to mask Windows function abuse.
The payload could also establish persistence on the system through the Windows Task Scheduler, ensuring a resilient position even after the system reboots.
Furthermore, a significant upgrade has appeared in their latest attack in this year’s samples. The operation showcased an enhanced ability to list directories and exfiltrate data, which was not present in the attacks last year since the actors focused more on testing intrusion and infection chains.
The true origin of AeroBlade and their main objectives for these attacks remain a mystery, leaving researchers to speculate on the potential motives. Some experts theorised that they want to steal specific data for intelligence gathering to sell them to international competitors. Therefore, the aerospace industry of the United States is currently the primary target of the AeroBlade hackers since they are one of the most advanced companies in their field.
