#ESETresearch analyzed operation #Interception, a new espionage campaign targeting aerospace & defense companies in Europe and the Middle East. Initial contact was made via #LinkedIn, where attackers approached targets with fake job offers @jiboutin welivesecurity.com/2020/06/17/ope… 1/5

The attackers sent a password protected RAR archive containing a LNK file responsible for showing a decoy PDF and downloading additional malware. In some cases, this archive was sent directly through #LinkedIn instant messenger. #ESETresearch 2/5

While the victim was being deceived by the decoy PDF, a scheduled task was created, launching WMIC to execute a script embedded in a remote XSL file. This enabled the attackers to get their initial foothold inside the targeted company and gain persistence on the computer. 3/5

Besides espionage, #ESETresearch saw moonlighting activities from #Interception’s operators. They set up a #BEC scheme by finding an unpaid invoice and reached out directly to the client for payment to a bank account they controlled. Fortunately, it wasn’t successful. 4/5

While we cannot conclusively link this activity to any known groups, technical links to the #Lazarus group exist. Read more about this research on operation #Interception on #WLS welivesecurity.com/wp-content/upl…
IoCs are available on our GitHub repository: github.com/eset/malware-i… 5/5