CP
cyberpings
Malware & RansomwareHIGH

Boeing RFQ Malware Campaign - Hackers Deploy Six-Stage Attack

Featured image for Boeing RFQ Malware Campaign - Hackers Deploy Six-Stage Attack
CSCyber Security News·Reporting by Tushar Subhra Dutta
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, hackers trick people into opening fake documents to install stealthy malware.

Quick Summary

A new malware campaign is targeting industrial suppliers with fake Boeing RFQ emails. This sophisticated attack uses multiple file types to evade detection. Organizations need to be aware and take action to protect themselves.

What Happened

A sophisticated malware campaign has emerged, targeting industrial suppliers through seemingly innocent procurement emails. This campaign, known as NKFZ5966PURCHASE, disguises itself as a Boeing Request for Quotation (RFQ) from a fictitious person named Joyce Malave. Victims are lured into opening a malicious Word document that initiates a complex six-stage attack.

How It Works

The infection begins when a victim opens the malicious DOCX file. Inside, a hidden RTF file is embedded, which silently loads additional malicious content. This technique has been around since 2017 but remains effective because most email security systems only scan DOCX files at a surface level.

Once the RTF is triggered, it executes a hex-encoded JavaScript file that invokes PowerShell to download a Python 3.12 runtime disguised as an audio file. This Python script then decrypts and executes a malicious DLL file, all while leaving minimal traces on the victim's machine.

Who's Being Targeted

The primary targets of this campaign are procurement teams and industrial suppliers. The emails impersonate legitimate entities, creating a sense of urgency to respond with pricing for high-quantity orders. Notably, Italian organizations have also been identified as secondary targets, increasing the campaign's scope.

Signs of Infection

Organizations should be vigilant for the following signs:

  • Unusual activity linked to Cobalt Strike, a post-exploitation tool.
  • Presence of registry keys like RtkAudUService, mimicking legitimate services.
  • Suspicious emails requesting price quotes from unknown sources.

How to Protect Yourself

To safeguard against this malware campaign, consider the following actions:

  • Monitor for suspicious registry keys and block URLs linked to Filemail.com.
  • Implement advanced email filtering to detect malicious attachments.
  • Educate employees about the risks of opening unsolicited documents.

Conclusion

The Boeing RFQ malware campaign exemplifies the evolving tactics of cybercriminals. By leveraging social engineering and sophisticated malware techniques, attackers can gain full control over compromised machines, leading to potential data theft and further network compromise. Organizations must remain vigilant and proactive in their cybersecurity measures to combat such threats effectively.

🔒 Pro insight: The use of legitimate tools like Cobalt Strike and Python in this attack makes detection challenging for traditional security measures.

Original article from

CSCyber Security News· Tushar Subhra Dutta
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware Newsletter Round 91 - Latest Threats and Insights

The latest malware newsletter reveals new threats like Infiniti Stealer and npm supply chain attacks. Developers and organizations must stay alert to evolving risks in cybersecurity.

Security Affairs·
HIGHMalware & Ransomware

Malicious Email Delivers CMD Malware - Privilege Escalation Alert

A malicious email has delivered a .cmd malware file that escalates privileges and bypasses antivirus systems. Users are at risk of significant system compromise. Awareness and immediate action are vital to mitigate this threat.

Security Affairs·
HIGHMalware & Ransomware

Axios NPM Package Compromised - Supply Chain Attack Exposed

A major supply chain attack compromised the Axios NPM package, affecting millions of users. Malicious versions deployed a RAT, posing serious security risks. Swift action was taken to remove the threats.

Trend Micro Research·
HIGHMalware & Ransomware

Brokk Hacked - Play Ransomware Exposes Sensitive Data

Brokk has reportedly been hacked by Play ransomware, leading to the leak of sensitive corporate data. This incident could severely impact the company's reputation and security. Organizations must bolster their defenses to prevent similar breaches.

SC Media·
HIGHMalware & Ransomware

Chaos Malware - New Targeting of 64-bit Linux Servers

Chaos malware has evolved to target 64-bit Linux servers, expanding its attack surface. This shift raises alarms for organizations relying on these systems. Enhanced security measures are now crucial to protect against potential larger-scale attacks.

SC Media·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security News·