Introduction of New Threat Actor 'AeroBlade'

A new cyber espionage hacking group, AeroBlade, has emerged on the cyberspace scene, launching cyberattacks against organizations in the United States aerospace sector. Until now, the group has remained under the radar, operating without detection from cybersecurity firms. This stealth behavior is characteristic of sophisticated threat actors, often emphasizing the severity and potential danger these groups pose to their targets and the broader digital environment.

Previously Unknown Threat Actor Targets US Aerospace Firm

The AeroBlade threat actor was discovered by BlackBerry researchers after successfully infiltrating a US aerospace organization's systems. The identity, origin, and operational capabilities of the threat actor remain largely unknown, with some preliminary investigation indicating the possible implication of the group in commercial cyber espionage activities. Speculation mounts over the goals of the group. Still, BlackBerry assesses with medium to high confidence that AeroBlade's primary objective is to gather valuable information and data using cyber espionage.

Initial Operations Commenced in September 2022 with a 'Testing Phase'

The group's activities initially unfolded in September 2022, considered a 'testing phase' of their cyber campaign. This first wave involved the deployment of fairly simple but effective spear-phishing tactics using weaponized documents. These documents, delivered through email attachments, were designed to gain initial access to the targeted organization's networks and establish a foothold for more sophisticated future attacks. This initial stage was followed by a brief period of inactivity, suggesting a calculated strategy on the actor's part to assess the success of their initial campaign before escalating their operations.

Second, a More Advanced Campaign Launched in July 2023

AeroBlade re-emerged in July 2023, launching a more advanced and complex attack campaign. The threat actor transitioned from its initial spear-phishing tactics to deploying a reverse-shell payload capable of executing commands and stealing data from the compromised systems. Despite the significant escalation of the group's activities, its operations remain under the radar and largely undetected by cybersecurity defenses, emphasizing the growing sophistication and advancement of its cyber espionage tactics.

Methods of Cyberattack Employed by AeroBlade

AeroBlade's primary attack technique involves spear-phishing emails harboring weaponized Microsoft Word document attachments. Once the unsuspecting target opens the email and its attachment, the embedded malicious macro code is activated. This code is discreet, preventing the threat actor from raising immediate suspicion. Additionally, the files appear legitimate to the victims, making it a potent tool for initiating the attack. The approach highlights the tailor-made nature of phishing emails that align with the victim's interests and perceived validity, increasing their chance of successful intrusion.

Use of Remote Template Injection to Execute a Second Stage Triggering an Infection Chain

AeroBlade employs a remote template injection technique embedded in the initial documents. These templates, when downloaded, kickstart the second stage of the campaign. This consists of executing a malicious macro that sets up a reverse shell on the target system, allowing a connection to the attacker's command and control (C server). This effectively forms an infection chain, offering the attackers greater control and sustained access to the targeted network or system.

Use of Heavily-Obfuscated Executable Library for Evasion and Information Gathering

For stealth and prolonged evasion, AeroBlade utilizes a heavily obfuscated Dynamic Link Library (DLL) as part of its operational arsenal. This effective anti-detection and anti-analysis measure include custom string encoding, sandbox detection, and control flow obfuscation. Additionally, API hashing is employed to disguise Windows function abuse further. Once in action, the DLL payload lists all directories on the compromised computer, aiding the threat actors in planning subsequent data theft and operations. AeroBlade even goes as far as ensuring the malware's persistence through the Windows Task Scheduler in case of a system reboot. These sophisticated measures illustrate the group's prowess in evading detection and retaining a foothold within the compromised systems over a more extended period.