Researchers from Cisco Talos have uncovered a spear-phishing campaign that they believe to be over two years old. The campaign has been targeting the aviation industry and has been named Operation Layover. Researchers have established the threat actor behind the campaign is based out of Nigeria and that they are not highly sophisticated. The group has been around for at least five years and has consistently used “off the shelf” malware, never developing their own. Spear-phishing messages are sent using bait documents specifically crafted to target the aviation or cargo industry. The files appear to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of Remote Access Trojans (RATs) like AsyncRAT and njRAT. The threat actor uses different RATs and domains for different campaigns in conjunction with a batch file that is used to download or execute other malware.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased