- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Microsoft: Aviation and Travel Firms Targeted with RAT Campaign
Microsoft is warning the aerospace and travel sectors of a new targeted attack campaign aimed at stealing sensitive information from affected companies.
The tech giant said it had been tracking the “dynamic campaign” for several months via a series of spear-phishing emails designed to deliver an “actively developed loader.”
The screenshot posted to Microsoft Security Intelligence Twitter feed was of a phishing email spoofing a legitimate organization and requesting a quote for a cargo charter.
“An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” it explained.
These payloads are either RevengeRAT or AsyncRAT.
“The RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft said.
“The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”
The loader which drops the RATs was identified by Morphisec last week as a “highly sophisticated” crypter-as-a-service dubbed “Snip3.”
It features several methods of bypassing detection by security tools, including: the use of Pastebin and top4top for staging; recognition of Windows Sandbox and VMWare virtualization; executing PowerShell code with the “remotesigned” parameter; and compiling RunPE loaders on the endpoint in runtime.
Microsoft claimed its 365 Defender product detects multiple components of the attack, but urged organizations in the targeted sectors to check whether they’ve been affected. It published a list of hunting queries so organizations can check for similar activities, emails, implants and other indicators of attack.
