Security researchers have uncovered a great hacking campaign targeting airlines. It all started with the analysis of a trojan by Microsoft.
On May 11, the team Microsoft Security Intelligence posted a thread on Twitter describing a campaign aimed at them ”sectors of aerospace and travel with phishing messages which contained a loader, which then installed it on the devices RevengeRAT or AsyncRAT".
The operator of this campaign used his technique email spoofing so that emails appear to come from legitimate organizations. The emails contained one .PDF file with a built-in link, which contained a malicious VBScript. It then installed Trojan payloads on the target machine.
According to Microsoft, the malware was used for spying on victims as well as for theft of data (credentials, screenshots, clipboard and webcam data).
The Microsoft security team was monitoring the hacking campaign and now, the Cisco Talos also presented its own findings on airline attacks.
Cisco Talos researchers, Tiago Pereira and Vitor Ventura, they made a Publication on Thursday in which they talk about the attack, "Operation Layover", Which seems to be linked to an attacker who has been active since at least 2013 and has been targeting airlines for at least two years.
This attacker is also linked to attacks in other areas.
In terms of targets in the aviation industry, the samples of malicious emails found by the researchers were similar to those received by Microsoft. The emails and .PDF attachments were related to aviation, with references to flight schedules, private jets, charter, cargo details and more.
Based on passive DNS telemetry, the team believes the attacker is in Nigeria.
The criminal started using the off-the-shelf CyberGate malware. CyberGate has been replaced by AsyncRAT in the most recent attacks.
RevengeRAT and AsyncRAT, however, are not the only malware used by the Nigerian attacker to attack airlines. A domain detected by the research team also indicates that the operator is using a variant of it nRAT in cyber attacks.
"Criminals who carry out smaller attacks can continue to do so for a long time without being noticedSays Cisco Talos. However, according to researchers, their activities may create problems in other large organizations. These are the criminals who supply the underground market with credentials and data that can be used by larger groups for activities such as big game hunting.