Microsoft is warning the aerospace and travel sectors of a new targeted attack campaign aimed at stealing sensitive information from affected companies.
The tech giant said it had been tracking the “dynamic campaign” for several months via a series of spear-phishing emails designed to deliver an “actively developed loader.”
The screenshot posted to Microsoft Security Intelligence Twitter feed was of a phishing email spoofing a legitimate organization and requesting a quote for a cargo charter.
“An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” it explained.
These payloads are either RevengeRAT or AsyncRAT.
“The RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft said.
"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”
The loader which drops the RATs was identified by Morphisec last week as a “highly sophisticated” crypter-as-a-service dubbed “Snip3.”
It features several methods of bypassing detection by security tools, including: the use of Pastebin and top4top for staging; recognition of Windows Sandbox and VMWare virtualization; executing PowerShell code with the “remotesigned” parameter; and compiling RunPE loaders on the endpoint in runtime.
Microsoft claimed its 365 Defender product detects multiple components of the attack, but urged organizations in the targeted sectors to check whether they’ve been affected. It published a list of hunting queries so organizations can check for similar activities, emails, implants and other indicators of attack.