Full Report
Executive Summary It is rare to be provided an inside view on how major cyber espionage campaigns are conducted within... The post Operation North Star: Behind The Scenes appeared first on McAfee Blog.
Analysis Summary
# Threat Actor: Unnamed Cyber Espionage Actor (Operation North Star)
## Attribution & Identity
Attribution is primarily linked to the "Operation North Star" campaign, a cyber espionage operation. No specific threat actor group name is provided, only that the adversary exhibits technical innovation and sophisticated operational security measures.
## Activity Summary
The actors conducted a sophisticated cyber espionage campaign targeting the defense sector. The operation involved initial intrusion via social media, spearphishing, and weaponized documents (DOTM files). Subsequent analysis revealed a secondary payload called **Torisma** and advanced operational security practices, including victim allow/block lists used to restrict the secondary payload's deployment. C2 log analysis indicated attacks against ISPs and defense contractors across multiple countries. The actors demonstrated technical evolution in their implantation techniques over seven months.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing, social media sites, and weaponized documents (DOTM files).
- **Execution & Defense Evasion:**
- Use of template injection.
- First-stage implants utilized **triple base64 encoding** in Visual Basic Macros (an increase from previous double encoding).
- Extracted DLLs (e.g., "desktop.dat") were packed with the **Themida packer**.
- Configuration data for the C2 and second-stage payload decryption keys were stored in an **encrypted configuration file** within the first-stage implant.
- **Command and Control (C2):** Communication utilized C2 infrastructure hosted on compromised commercial domains (e.g., an apparel company, an auction house, a printing company).
- **Operational Security:** Application of an **Allow and Block list** to whitelist or blacklist specific organizational systems, preventing the secondary payload (Torisma) from deploying to unintended targets.
## Targeting
- **Sectors:** Defense sector organizations (including defense contractors).
- **Geography:** Attacks launched against IP addresses belonging to internet service providers (ISPs) in **Australia, Israel, and Russia**, and defense contractors based in **Russia and India**.
- **Victims:** Defense contractors.
## Tools & Infrastructure
- **Malware families used:**
- Primary Implant (first stage, nested in DOTM files).
- **Torisma** (secondary payload).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- C2 infrastructure comprised of compromised domains in Italy and other countries.
- Compromised domains included those belonging to an apparel company, an auction house, and a printing company.
- Specific compromised domain mentioned: `hxxp://fabianiarte.com` (and `fabianiarte.it`).
- Malicious files included DOTM files and a malicious ASP page hosted on these compromised sites.
## Implications
The actor exhibits a commitment to long-term espionage, evidenced by the duration of activity tracked (seven months) and continuous development of malware obfuscation techniques (triple encoding, Themida packing). The use of a specific victim allow/block list suggests a targeted, high-value espionage mission where avoiding collateral damage or premature exposure is critical to their operational success.
## Mitigations
- Scrutinize and restrict execution of macros from untrusted sources, especially DOTM files.
- Employ advanced endpoint detection and response capable of detecting Themida packing and complex multi-stage decoding/unpacking.
- Monitor network traffic for beacons communicating with known or suspicious compromised commercial domains.
- Evaluate network access controls, as the adversary demonstrated sophistication in ensuring secondary payloads only activated on verified targets.