Boeing RFQ Malware Campaign - Hackers Deploy Six-Stage Attack
Basically, hackers trick people into opening fake documents to install stealthy malware.
A new malware campaign is targeting industrial suppliers with fake Boeing RFQ emails. This sophisticated attack uses multiple file types to evade detection. Organizations need to be aware and take action to protect themselves.
What Happened
A sophisticated malware campaign has emerged, targeting industrial suppliers through seemingly innocent procurement emails. This campaign, known as NKFZ5966PURCHASE, disguises itself as a Boeing Request for Quotation (RFQ) from a fictitious person named Joyce Malave. Victims are lured into opening a malicious Word document that initiates a complex six-stage attack.
How It Works
The infection begins when a victim opens the malicious DOCX file. Inside, a hidden RTF file is embedded, which silently loads additional malicious content. This technique has been around since 2017 but remains effective because most email security systems only scan DOCX files at a surface level.
Once the RTF is triggered, it executes a hex-encoded JavaScript file that invokes PowerShell to download a Python 3.12 runtime disguised as an audio file. This Python script then decrypts and executes a malicious DLL file, all while leaving minimal traces on the victim's machine.
Who's Being Targeted
The primary targets of this campaign are procurement teams and industrial suppliers. The emails impersonate legitimate entities, creating a sense of urgency to respond with pricing for high-quantity orders. Notably, Italian organizations have also been identified as secondary targets, increasing the campaign's scope.
Signs of Infection
Organizations should be vigilant for the following signs:
- Unusual activity linked to Cobalt Strike, a post-exploitation tool.
- Presence of registry keys like RtkAudUService, mimicking legitimate services.
- Suspicious emails requesting price quotes from unknown sources.
How to Protect Yourself
To safeguard against this malware campaign, consider the following actions:
- Monitor for suspicious registry keys and block URLs linked to Filemail.com.
- Implement advanced email filtering to detect malicious attachments.
- Educate employees about the risks of opening unsolicited documents.
Conclusion
The Boeing RFQ malware campaign exemplifies the evolving tactics of cybercriminals. By leveraging social engineering and sophisticated malware techniques, attackers can gain full control over compromised machines, leading to potential data theft and further network compromise. Organizations must remain vigilant and proactive in their cybersecurity measures to combat such threats effectively.