Military Contractors Targeted in STEEP#MAVERICK Campaign

Category: Threat Actor Activity | Industries: Defense, Military, Weapons | Level: Tactical | Source: Securonix

STEEP#MAVERICK, an attack campaign targeting military and weapons contractor companies has been discovered by the Securonix Threat Research team. A specific target in the attack has involved "a strategic supplier to the F-35 Lightning II fighter aircraft." Spearphishing emails are sent to targeted employees containing a ZIP and LNK file. The attack chain used by the threat actors has an emphasis on defense evasion tactics derailing detection systems and a series of obfuscated PowerShell scripts. When executed the LNK file doesn't call the typical LOLBins such as cmd.exe, powershell.exe, or mshta, rather ForFiles.exe is called with the PowerShell executable being copied and renamed. A variety of obfuscated techniques were observed by Securonix's researchers such as reordering/symbol obfuscation, invoke-expression commands with obfuscation, byte value obfuscation, raw compression, reordering, and reordering/symbol obfuscation. Anti-analysis techniques were conducted with antimalware scan interface (AMSI) evasion techniques, checking the monitor's pixel size, the system’s memory, and OS install date to ensure the host is not a sandbox. Once checks are passed, the scripts will set up persistence with WMI subscription event, schtasks, and registry. The script will modify system settings by disabling logging and modifying Windows defender. The command and control (C2) infrastructure observed by Securonix was registered in July 2022 and was hosted on DigitalOcean. Currently, this campaign could not be attributed to a threat actor group.

Anvilogic Scenario:

• ZIP/LNK Evasion Tactics Lead to PS, Persistence/System Impact

Anvilogic Use Cases:

• Indirect Command Execution
• High Entropy Powershell
• Modify Windows Defender

‍