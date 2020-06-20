While the world is focused on fighting COVID-19, companies still need to defend themselves against the spread of another dangerous threat – malware.

This was highlighted during the first day of ESET’s Virtual World 2020 conference, as researchers broke down two specific attacks on aerospace, defence and military organisations.

Through social engineering techniques and the deployment of multi-stage malware, malicious actors were able to access systems containing sensitive company information.

LinkedIn-based attack

In the first attack – dubbed Operation In(ter)ception – attackers impersonated recruiters from reputed aerospace and defence companies on LinkedIn.

They would then start a conversation with employees of these companies’ rivals, praising their abilities and claiming to offer a job working for the competition.

A decoy PDF file which appears to show details of the package for the position would then be sent to the employee.

Once downloaded, this file deploys a malicious payload of malware to the victim’s computer, allowing the attackers to gain a presence on it.

The attackers then deployed sophisticated custom multi-stage malware disguised as legitimate software and altered versions of open-source tools to query and grab employee information as well as business-related and technical data.

InvisiMole

ESET investigated another threat which first surfaced in 2013 – dubbed InvisiMole.

The spyware tool has extensive espionage capabilities and when installed on a system can perform the following tasks:

Record voice

Take screenshots

Access geo-location

Take photos or videos with the webcam

Steal documents

An enhanced version of InvisiMole targeted diplomatic missions and military organisations, managing to deploy 30 weaponised applications and documents on their networks and preparing 8,000 documents for exfiltration.

By collaborating with affected companies, ESET was able to uncover an extensive toolset used for the delivery, lateral movement and execution of InvisiMole’s backdoors.

One of the other notable findings of the investigation was that the InvisiMole group’s malware was an upgraded version of Gamaredon malware, suggesting collaboration between the two parties.

Taking action

These attacks are evidently well-organised and sophisticated.

This should be a warning to companies to ensure their cybersecurity measures are sufficient to deal with similar attacks.

Firstly, employees must be educated on the complexities of attacks and notified of key markers of attacks, which could include:

Grammar and language mistakes in messages.

Pressure on the target to react immediately.

Suspicious instructions on how to manipulate files on the victim’s computer.

While prevention is the best option, any network is only as secure as its weakest link, and companies need to be prepared for when employees slip up.

Important proactive measures include the following:

Blocking access to large file hosters on which payloads are stored and information.

Using a program like Applocker to control which programs can be executed.

Keeping security software up to date.

This article was published in partnership with ESET.