Microsoft Alerts Aviation and Travel Firms to RAT Campaign

Microsoft is warning the aerospace and travel sectors of a new targeted attack campaign aimed at stealing sensitive information from affected companies.

The tech giant said it had been tracking the “dynamic campaign” for several months via a series of spear-phishing emails designed to deliver an “actively developed loader.”

The screenshot posted to Microsoft Security Intelligence Twitter feed was of a phishing email spoofing a legitimate organization and requesting a quote for a cargo charter.

“An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” it explained.

These payloads are either RevengeRAT or AsyncRAT.

“The RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft said.

"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”

The loader which drops the RATs was identified by Morphisec last week as a “highly sophisticated” crypter-as-a-service dubbed “Snip3.”

It features several methods of bypassing detection by security tools, including: the use of Pastebin and top4top for staging; recognition of Windows Sandbox and VMWare virtualization; executing PowerShell code with the “remotesigned” paramete ..

Support the originator by clicking the read the rest link below.