Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Microsoft Warns of Attacks on Aerospace, Travel Sectors

Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.

Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.

The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.

The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery of RATs.

Last week, security researchers with endpoint security solutions provider Morphisec revealed that, once the victim clicks on the link, a VBScript is fetched, which in turn drops a second-stage PowerShell script in charge of evading detection and dropping the final payload.

Snip3 is still under active development, with Morphisec identifying roughly a dozen versions over the course of several months.

The final payload in these attacks is typically RevengeRAT or AsyncRAT, but additional payloads were observed as well, including Agent Tesla and NetWire RAT. The main purpose of the attacks appears to be data harvesting and exfiltration.

“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft says.

On the compromised systems, the Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs, and Microsoft explains that they continuously re-run the components until the process injection is successful.

“They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587,” the tech giant also notes.

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Related: Crypto-Hijacking Campaign Leverages New Golang RAT

Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.