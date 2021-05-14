Infosecurity Group Websites
Latest
News

Microsoft Alerts Aviation and Travel Firms to RAT Campaign

Microsoft is warning the aerospace and travel sectors of a new targeted attack campaign aimed at stealing sensitive information from affected companies.

The tech giant said it had been tracking the “dynamic campaign” for several months via a series of spear-phishing emails designed to deliver an “actively developed loader.”

The screenshot posted to Microsoft Security Intelligence Twitter feed was of a phishing email spoofing a legitimate organization and requesting a quote for a cargo charter.

“An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” it explained.

These payloads are either RevengeRAT or AsyncRAT.

“The RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft said.

"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”

The loader which drops the RATs was identified by Morphisec last week as a “highly sophisticated” crypter-as-a-service dubbed “Snip3.”

It features several methods of bypassing detection by security tools, including: the use of Pastebin and top4top for staging; recognition of Windows Sandbox and VMWare virtualization; executing PowerShell code with the “remotesigned” parameter; and compiling RunPE loaders on the endpoint in runtime.

Microsoft claimed its 365 Defender product detects multiple components of the attack, but urged organizations in the targeted sectors to check whether they’ve been affected. It published a list of hunting queries so organizations can check for similar activities, emails, implants and other indicators of attack.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Microsoft Fixes Exchange Server Zero-Day in May Patch Tuesday

2
News

Biden Executive Order Mandates Zero Trust and Strong Encryption

3
News

Colonial Pipeline Attackers Linked to Infamous REvil Group

4
News

Half of Government Security Incidents Caused by Missing Patches

5
News

Four Years On: Two-thirds of Global Firms Still Exposed to WannaCry

6
News

Japanese Manufacturer Yamabiko Targeted by Babuk Ransomware

1
News

Lemonade Denies “Unforgivably Negligent” Security Gaffe

2
News

US Sentences Cyber-Stalker Who Sent Sex Workers to Family’s Home

3
News

Rapid7 Source Code Accessed in Cyber-attack

4
News

Ireland’s Healthcare System’s IT Offline Following Ransomware Attack

5
Opinion

Ransomware: Survive by Outrunning the Guy Next to You

6
News

Microsoft Alerts Aviation and Travel Firms to RAT Campaign

1
Webinar

How Zero Trust Enables Remote Working and Builds to a SASE Vision

2
Webinar

Zero Trust in 2021: How to Seamlessly Protect Your Remote and In-Office Users

3
Webinar

Supply Chain Security: Easing the Headache of Third-Party Risk Assessments

4
Webinar

Defining the Zero Trust and SASE Relationship

5
Webinar

The Remote Workplace: Managing the New Threat Landscape with ISO 27001

6
Webinar

The Challenge of Remote File Transfer Security: Is Centralization the Answer?

1
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - EMEA 2021

2
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

3
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - North America 2021

4
News Feature

Census 2021: How Safe Will Our Data Be Over the Next 100 Years?

5
Opinion

How Behavioral Biometrics is Combating Credential Stuffing Attacks

6
Webinar

Securing the #COVID19 Vaccine & Supply Chain