Microsoft has issued a warning for a ongoing spear-phishing campaign targeting aviation and travel agencies, with numerous Trojans Remote Access (RAT) developed using a new malware loader.
Specifically, the technology giant mentioned in its relevant announcement the following: "In recent months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails, which are distributed by a loader that is actively deployed and then delivered by RevengeRAT or AsyncRAT."
The phishing emails of the attackers falsify legal entities and use as "bait" images that are presented as PDF documents, which are supposed to contain information on various industries, including aerospace and travel.
As Microsoft observed while monitoring this campaign, the malicious agents have as their ultimate goal access and steal data from "infected" devices, using the remote control, keylogging and password theft capabilities of RAT.
Once developed, malware allows hackers to take screenshots, as well as steal credentials, webcam data, browser and clipboard data and system and network data.
The newly discovered loader - which malware analyzes Morphisec they named “Snip3” Used for the distribution of Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads in breached systems.
In addition, links that abuse legal web services and are embedded in phishing emails, download the VBScript VBS files first stage performing one PowerShell script second stage, which in turn executes the final RAT payload using it Hollowing process.
Snip3 also comes with Ability to identify sandboxing and virtual environments, according to Morphisec, which makes it particularly capable of bypass detection-centric anti-malware solutions.
To avoid detection, the malware loader uses additional techniques such as the following:
- Implementation PowerShell code to «Remotesigned» parameter
- Use of Pastebin and top4top for staging
- Compilation of RunPE loaders at the endpoint
Organizations can use sample queries Microsoft has announced a "sophisticated hunt" using Microsoft 365 Defender, to help them identify and investigate similar suspicious behavior and activity associated with this ongoing phishing campaign.
Source of information: bleepingcomputer.com