Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.
The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.
The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery of RATs.
Last week, security researchers with endpoint security solutions provider Morphisec revealed that, once the victim clicks on the link, a VBScript is fetched, which in turn drops a second-stage PowerShell script in charge of evading detection and dropping the final payload.
Snip3 is still under active development, with Morphisec identifying roughly a dozen versions over the course of several months.
The final payload in these attacks is typically RevengeRAT or AsyncRAT, but additional payloads were observed as well, including Agent Tesla and NetWire RAT. The main purpose of the attacks appears to be data harvesting and exfiltration.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft says.
On the compromised systems, the Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs, and Microsoft explains that they continuously re-run the components until the process injection is successful.
“They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587,” the tech giant also notes.
Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration
Related: Crypto-Hijacking Campaign Leverages New Golang RAT
Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector
More from Ionut Arghire
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
Latest News
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
