Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.
The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems.
The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.
Analysts at Securonix discovered discovered the attacks but couldn’t attribute the campaign to any known threat actors, even though some similarities with past APT37 (Konni) attacks are mentioned in the report.
The phishing email targeting employees includes a ZIP attachment that contains a shortcut file (“Company & Benefits.pdf.lnk”), which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.
