Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.
The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.
The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery of RATs.
Last week, security researchers with endpoint security solutions provider Morphisec revealed that, once the victim clicks on the link, a VBScript is fetched, which in turn drops a second-stage PowerShell script in charge of evading detection and dropping the final payload.
Snip3 is still under active development, with Morphisec identifying roughly a dozen versions over the course of several months.
The final payload in these attacks is typically RevengeRAT or AsyncRAT, but additional payloads were observed as well, including Agent Tesla and NetWire RAT. The main purpose of the attacks appears to be data harvesting and exfiltration.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then use a ..
Support the originator by clicking the read the rest link below.
