An unnamed aerospace company in the US has been targeted by a previously unknown threat actor with the goal of commercial and competitive espionage, according to new findings from the BlackBerry Threat Research and Intelligence team.

Dubbed ‘AeroBlade,’ the campaign used spear-phishing as a means to gain access to the victim’s network. The phishing email contained an attachment equipped with an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution.

Evidence suggests that the attacker’s network infrastructure and weaponization became operational around September 2022, with the offensive phase of the attack taking place in July 2023.

The first stage of the infection chain involves a malicious document attachment, which, when opened, displays a “lure” message prompting the potential victim to click it to enable the content in MS Office.

After the victim opens the file and enables content, a new file is dropped on the system, which acts as a “classic cyber bait-and-switch.” Then, an OLE document containing the macro is executed. This macro runs an executable file.

The final payload is a DLL that acts as a reverse shell that connects to a hard-coded command-and-control (C2) server. Reverse shells allow attackers to open ports to the target machines, forcing communication and enabling a complete takeover of the device. The DLL is a heavily obfuscated executable that implements a number of complex anti-analysis techniques, such as anti-disassembly techniques to make analysis harder, API hashing to hide its usage of Windows functions, custom encoding for each string used, multiple checks to avoid the malware running on an automated environment such as a sandbox.

The executable contains control flow obfuscation, usage of data between code, and dead code-executed instructions that do not affect the malware. The executable also implements techniques that cause the malware to skip execution on automated systems, such as sandboxes or antivirus (AV) emulators.

“Based on the threat actor’s operations timelines — September 2022 and then July 2023 — we can surmise that this shows the group’s interest in the target remained consistent between the first and second campaign, as evidenced by the increased complexity of the second campaign compared to the first,” BlackBerry said. “During the time that elapsed between the two campaigns we observed, the threat actor put considerable effort into developing additional resources to ensure they could secure access to the sought-after information, and that they could exfiltrate it successfully.”