Organizations in aerospace and travel sectors under attack, Microsoft warns

Pierluigi Paganini May 13, 2021

Microsoft warns of a malware-based campaign that targeted organizations in the aerospace and travel sectors in the past months.

Microsoft researchers revealed that organizations in the aerospace and travel sectors have been targeted in the past months in a malware-based campaign.

Threat actors conducted a spear-phishing campaign using messages that were specifically designed to be of interest to the targeted organizations. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. The email uses an image posing as a PDF file that contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.

The attackers used a new loader dubbed Snip3 which appears under active development and that was recently analyzed by Morphisec researchers that already detected a dozen versions over the last months.

“The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The main difference between the 11 sub-versions is the type of obfuscation that each uses.” states Morphisec.

The final stage in the attacks observed by Microsoft is common RAT, such as RevengeRAT or AsyncRAT, experts also reported the involvement of additional payloads, including Agent Tesla and NetWire RAT.

Threat actors employed the malware to steal sensitive data from the victims.

The RATs are controlled using C2 server hosted on dynamic hosting sites, they use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.

The Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs.

The final payloads allow attackers to steal credentials, take screenshots and spy through the webcam, then stolen data are exfiltrated via SMTP Port 587.

“Microsoft 365 Defender detects the multiple components of this attack. Our researchers are closely monitoring the campaign and will share additional info and investigation guidance through Microsoft 365 security center and Microsoft Threat Experts.” concludes Microsoft.

Please vote Security Affairs as Best Personal cybersecurity Blog

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment