Researchers from Cisco Talos have uncovered a spear-phishing campaign that they believe to be over two years old. The campaign has been targeting the aviation industry and has been named Operation Layover. Researchers have established the threat actor behind the campaign is based out of Nigeria and that they are not highly sophisticated. The group has been around for at least five years and has consistently used “off the shelf” malware, never developing their own. Spear-phishing messages are sent using bait documents specifically crafted to target the aviation or cargo industry. The files appear to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of Remote Access Trojans (RATs) like AsyncRAT and njRAT. The threat actor uses different RATs and domains for different campaigns in conjunction with a batch file that is used to download or execute other malware.
According to researchers, these types of campaigns tend to fly under the radar due to their small size. Furthermore, once the campaign is outed, all the threat actors must do is abandon their C2 (Command and Control) hostnames and change the RATs they are using. Their next attacks seem to be isolated even though they are still part of the same campaign. Organizations should employ best practices when it comes to protecting themselves against phishing campaigns. This includes training employees on how to spot phishing emails and what to do if they believe to have been the recipient of one. Monitoring should also be in place to detect attacks and infections quickly such as Binary Defense’s Managed Detection and Response.