BOOK THIS SPACE FOR AD
ARTICLE ADMicrosoft warns of a malware-based campaign that targeted organizations in the aerospace and travel sectors in the past months.
Microsoft researchers revealed that organizations in the aerospace and travel sectors have been targeted in the past months in a malware-based campaign.
Threat actors conducted a spear-phishing campaign using messages that were specifically designed to be of interest to the targeted organizations. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. The email uses an image posing as a PDF file that contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.
In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads. pic.twitter.com/9r0OTmZQJb
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021The attackers used a new loader dubbed Snip3 which appears under active development and that was recently analyzed by Morphisec researchers that already detected a dozen versions over the last months.
“The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The main difference between the 11 sub-versions is the type of obfuscation that each uses.” states Morphisec.
The final stage in the attacks observed by Microsoft is common RAT, such as RevengeRAT or AsyncRAT, experts also reported the involvement of additional payloads, including Agent Tesla and NetWire RAT.
Threat actors employed the malware to steal sensitive data from the victims.
The RATs are controlled using C2 server hosted on dynamic hosting sites, they use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.
The Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs.
The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587. pic.twitter.com/TKRSPpNujq
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021The final payloads allow attackers to steal credentials, take screenshots and spy through the webcam, then stolen data are exfiltrated via SMTP Port 587.
“Microsoft 365 Defender detects the multiple components of this attack. Our researchers are closely monitoring the campaign and will share additional info and investigation guidance through Microsoft 365 security center and Microsoft Threat Experts.” concludes Microsoft.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Microsoft)