Cyber Security

New Threat Actor ‘AeroBlade’ Emerges in Espionage Attack on U.S. Aerospace

Dec 05, 2023NewsroomCyber Espionage / Threat Analysis

A previously undocumented threat actor has been linked to a cyber attack targeting an aerospace organization in the U.S. as part of what’s suspected to be a cyber espionage mission.

The BlackBerry Threat Research and Intelligence team is tracking the activity cluster as AeroBlade. Its origin is currently unknown and it’s not clear if the attack was successful.

“The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution,” the company said in an analysis published last week.


Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

The network infrastructure used for the attack is said to have gone live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the adversary took steps to improvise its toolset to make it more stealthy in the intervening time period.

The initial attack, which took place in September 2022, commenced with a phishing email bearing a Microsoft Word attachment that, when opened, used a technique called remote template injection to retrieve a next-stage payload that’s executed after the victim enables macros.

Espionage Attack

The attack chain ultimately led to the deployment of a dynamic-link library (DLL) that functions as a reverse shell, connecting to a hard-coded command-and-control (C2) server and transmitting system information to the attackers.

The information gathering capabilities also include enumerating the complete list of directories on the infected host, indicating that this could be a reconnaissance effort carried out to see if the machine hosts any valuable data and aid its operators in strategizing their next steps.


“Reverse shells allow attackers to open ports to the target machines, forcing communication and enabling a complete takeover of the device,” Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, said. “It is therefore a severe security threat.”

The heavily obfuscated DLL also comes fitted with anti-analysis and anti-disassembly techniques to make it challenging to detect and take apart, while also skipping execution on sandboxed environments. Persistence is accomplished by means of a Task Scheduler, in which a task named “WinUpdate2” is created to run every day at 10:10 a.m.

“During the time that elapsed between the two campaigns we observed, the threat actor put considerable effort into developing additional resources to ensure they could secure access to the sought-after information, and that they could exfiltrate it successfully,” Bestuzhev said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Threads Saved Posts Feature Begins Rolling Out to Several Users After Weeks of Testing: How it Works
Nvidia briefly surpasses $2 trillion in market cap during intraday trading
Palworld Crosses 25 Million Players on PC and Xbox, 15 Million Copies Sold on Steam
Tecno Camon 30 Premier 5G With PolarAce Imaging System Unveiled at MWC 2024
Ride-hailing giant Grab posts first profitable quarter, announces $500 million share buyback