The BlackBerry Threat Research and Intelligence team has uncovered a previously unknown threat actor, referred to as AeroBlade, linked to a cyber attack targeting a U.S. aerospace organization, suspected to be part of a cyber espionage mission. The attack utilized spear-phishing with a weaponized document containing an embedded remote template injection technique and a malicious VBA macro code. The network infrastructure for the attack went live around September 2022, with the intrusion phase occurring nearly a year later in July 2023. The attacker improvised its toolset during this period to enhance stealthiness. The September 2022 attack involved a phishing email with a Microsoft Word attachment using remote template injection to retrieve a next-stage payload upon enabling macros.
This led to the deployment of a dynamic-link library (DLL) functioning as a reverse shell, connecting to a command-and-control (C2) server and transmitting system information. The DLL, heavily obfuscated and equipped with anti-analysis techniques, poses a severe security threat, allowing attackers to open ports and take over the device. The attacker demonstrated persistence through a Task Scheduler, creating a daily task for execution.
The threat actor, between the two observed campaigns, invested significant effort in developing additional resources to secure access to sought-after information and ensure successful exfiltration. The reconnaissance effort involved enumerating the complete list of directories on the infected host, indicating a strategic approach to identifying valuable data. The AeroBlade campaign underscores the sophistication of cyber threats in the espionage domain, with the actor adapting techniques and toolsets to evade detection and enhance capabilities over time.