Boeing RFQ Malware Campaign Exploits DOCX, RTF, JS, and Python

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers

Summary

A sophisticated malware campaign, tracked as NKFZ5966PURCHASE, is targeting industrial suppliers and procurement teams by impersonating Boeing in procurement emails. The attack utilizes DOCX, RTF, JavaScript, PowerShell, and Python to deliver an in-memory Cobalt Strike beacon through a six-stage process. Victims are lured into opening a malicious Word document disguised as a Request for Quotation from a fake sender named Joyce Malave. This campaign leverages living-off-the-land binaries and reuses encryption keys across samples, enhancing its evasion capabilities. The exact number of affected organizations is currently unknown, but the operation poses a significant threat to supply chain security. As of now, the campaign is active and ongoing, with security professionals urged to remain vigilant. Key Points: • The NKFZ5966PURCHASE campaign targets procurement teams by impersonating Boeing. • Attack methods include DOCX, RTF, JS, and Python to deliver Cobalt Strike beacons. • The campaign employs living-off-the-land techniques and reuses encryption keys for evasion.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Boeing RFQ Malware Campaign (campaign)
• Nkfz5966purchase (campaign)
• RFQ Malware Campaign (campaign)
• Cobalt Strike (malware)
• T1059.001 - PowerShell (mitre_attack)
• T1059.006 - Python (mitre_attack)
• T1059.007 - JavaScript (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Python (tool)
• PowerShell (tool)