The Hacker News
FireEye experts have been tracking the Operation Beebus campaign for a few months now, and new same gang of hackers are being blamed for a set of recently discovered spear-phishing attacks that aim to steal information related to American drones.

These attacks exploited previously discovered vulnerabilities via document files delivered by email in order to plant a previously unknown backdoor onto victim systems. Operation Beebus is an APT-style attack campaign targeting government agencies in the United States and India as well as numerous aerospace, defense, and telecom industry organizations.
FireEye Labs has linked the attacks to the China-based Comment Group hacker collective (a prolific actor believed to be affiliated with the Chines government), and Operation Beebus.

"The set of targets cover all aspects of unmanned vehicles, land, air and sea, from research to design to manufacturing of the vehicles and their various subsystems. Other related malware have been discovered through the same C&C infrastructure that have a similar set of targets, that when included bring the total number of targets to more than 20 as of this writing. These targets include some in academia which have received military funding for their research projects relating to unmanned vehicles." experts said.

The Hacker News

FireEye observed a spear phishing attack that deployed a malicious attachment masquerading as a document containing details about the Pakistani military's advances in drone technology. The document is attributed to Aditi Malhotra, an Associate Fellow at the Centre for Land Warfare Studies (CLAWS) in New Delhi. Malhorta is apparently a real person with writings that can be found online, but it is not clear if she actually wrote the document or if the attackers are just using her name.

The earlier Beebus attacks involved malicious PDF and Word files with names such as "sensor environments.doc" and "RHT_SalaryGuide_2012.pdf" emailed to targets. The documents attempted to exploit a well-known DLL search order hijacking vulnerability in Windows and drop a malicious DLL file in the Windows directory. The Beebus attackers also used a TTP (tools, techniques, and procedures) identical to the RSA hack.
The Hacker News

The backdoor pretends to be software from Google or Microsoft, which renders it hard to detect, especially since it does not harm users' computers in any way. Once in place, the backdoor allows alien IP addresses access to private files. Two different versions of the same backdoor were used in all of these attacks, which FireEye has dubbed "Mutter." Mutter is HTTP proxy aware, and attempts to determine if a proxy is required and what the proxy details are if necessary.

After infection, the malware will stay dormant for some period of time before attempting to exfiltrate data from the infected PC. Operation Beebus wants some very specific information and likely has nothing good planned for it. Hijacking drones may not be commonplace just yet, but that capability could raise some serious questions about widespread drone use.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.