Securonix Detects New Covert Attack Campaign Targeting Military Contractors

Securonix Detects New Covert Attack Campaign Targeting Military Contractors

SINGAPORE & ASEAN – October 3, 2022 – Securonix Threat Research team recently discovered a new covert attack campaign targeting multiple military/weapons contractor companies, including likely a strategic supplier to the F-35 Lightning II fighter aircraft.

The stager mostly employed the use of PowerShell and while stagers written in PowerShell are not unique, the procedures involved featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code.

Additionally, the remote infrastructure or command and control (C2) involved with the stager was relatively sophisticated. 

Target Analysis and Attack Chain

The attack was carried out starting in late summer 2022 targeting at least two high-profile military contractor companies.

The overall attack chain can be seen in the figure 1 below which highlights the initial compromise phase of the attack.

Attack Chain

Initial Infection: Shortcut to Code Execution

As with a lot of targeted campaigns, initial infection begins with a phishing email sent to the target containing a malicious attachment. Similar to that of the STIFF#BIZON campaign reported earlier this year, the phishing email contains a compressed file containing a shortcut file, in this case “Company & Benefits.lnk”.

Figure 2: Company & Benefits.pdf.lnk

The shortcut file does some tricky things to avoid detection. First, it attempts to hide its execution by calling forfiles rather than cmd.exe or powershell.exe.

It then takes the powershell.exe executable file and then copies it to C:\Windows, renames it to AdobeAcrobatPDFReader, and then uses it to execute the rest of the PowerShell string. Logs generated from Sysinternals Sysmon identify this in figure 3 below.

Figure 3: Windows logs showing renamed PowerShell.exe

The rest of the powershell script runs on a loop with a 120 second timeout or until an error is not produced. C2 communication is attempted at the URL: hxxps://terma[.]dev/0 to pull down the initial stager.


Overall, it is clear that this attack was relatively sophisticated with the malicious threat actor paying specific attention to opsec. There were a lot of relatively recent attack techniques at play, some of which were unfamiliar and required additional analysis such as leveraging the PowerShell Get-Alias commandlet to perform an invoke expression.

Leveraging the registry, WMI subscriptions, scheduled tasks, and incorporating Lolbins with the process was overall clever and needs to be monitored for. While this was a very targeted attack, the tactics and techniques used are well known and it is important to stay vigilant. 

Securonix Recommendations and Mitigations

  • Avoid downloading unknown email attachments / lnk files from non-trusted sources
  • Deploy PowerShell script block logging to assist in detections
  • Deploy additional process-level logging such as Sysmon for additional log coverage. Additionally sysmon installed on the host will prevent next stage payload execution
  • Pay specific attention to attempts to disable security monitoring tools, including SIEM
  • Scan endpoints using the Securonix seeder hunting queries below

MITRE ATT&CK Techniques

Initial AccessT1566: Phishing
Defense EvasionT1027: Obfuscated Files or Information T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution T1005: Data from Local System
T1562.001: Impair Defenses: Disable or Modify Tools T1112: Modify Registry
ExecutionT1059.001: Command and Scripting Interpreter: PowerShell
T1047: Windows Management Instrumentation
PersistenceT1547: Boot or Logon Autostart Execution
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled TaskT1546.003: Event Triggered Execution: Windows Management Instrumentation Event Subscription