Microsoft has released details of a campaign that is targeting the Aviation industry. The threat actors are using spear-phishing campaigns to deliver emails that spoof legitimate companies. The emails contain a linked image that poses as a PDF file and an embedded link that is typically generated via a known web service, helping the emails bypass security controls. If the link is clicked the victim is infected with a new loader called Snip3 which comes in the form of a malicious VBScript. Once downloaded, Snip3 will download a Remote Access Trojan (RAT) on the victim’s device. Thus far, RevengeRAT and AsyncRAT are the only two strains that have been downloaded.
Analyst Notes
RevengeRAT is a known malware that has been used by the Iranian threat actor APT33 in the past. AsyncRAT is an open-source, legitimate, remote administration tool that has been used by any threat actors for malicious activities in the past. There has been no attribution to these attacks so far. It is recommended that companies have the proper training in place to teach employees how to spot a phishing email as well as monitoring in place. Binary Defense’s Security Operations Task Force monitors clients’ workstations and servers 24/7 to detect attacks based on possible attacker behaviors and prevents intrusions in the early stages to keep companies from suffering major damage.
More can be read here: https://threatpost.com/loader-aviation-spy-rats/166133/
