30. June 2021

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Fortinet researchers discovered a spear-phishing campaign targeting the aviation industry with malicious download links that distribute the AsyncRAT with a well-crafted message. AsyncRAT, also known as remote access tool (RAT) is an open-source, legitimate remote administration tool, which has been used to gather browser data, steal credentials, webcam data, screenshots, and essential details about the system and network.

Threat actors targeted multiple aviation firms by sending phishing emails that appeared to be coming from the federal aviation authority using a spoofed sender address that aligns with a ‘foreign operators affairs’ email address for inquiries/approvals. The email goes through the extra step of having a signature and a logo to impersonate a federal authority. 

Attackers have designed the email so carefully that it creates a sense of urgency by resembling it like a Reporting of Safety Incident (ROSI) from Air Traffic Control. In addition, the email contains malicious Google Drive links disguised as a pdf attachment. Most of the emails in this campaign contain the strings ROSI, AOP, Incident Report, as well as the attachment name ‘ROSI-AOP Incident Report Details,

‘.pdf.