Spear-Phishing Campaign Targets Aviation SectorMicrosoft: Attackers Are Spreading Remote Access Trojans
A spear-phishing campaign is targeting aviation companies, using malicious documents that deliver information-stealing malware, according to alerts from Microsoft Security Intelligence.
In a series of alerts posted on Twitter, Microsoft says it has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers the remote access Trojan RevengeRAT, aka AsyncRAT.
Microsoft notes the campaign, which has been active in recent months, involves attackers spoofing emails of legitimate organizations with lures relevant to aviation, travel or cargo.
In a sample phishing email shared by Microsoft, the attacker spoofed the email of airplane manufacturer Airbus. The message used says the recipient has been invited to an event. The email contained a malicious link within a PDF attachment, which downloaded a Visual Basic script that, in turn, downloaded the information-stealing malware.
The Trojan downloaded in the campaign, RevengeRAT or AsyncRAT, was initially used to steal data. The RAT connected to a command-and-control server hosted on a dynamic hosting site, which downloaded additional payloads for further compromise. These include Agent Tesla, which is used for further data exfiltration, Microsoft says.
"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil or RevSvcs," Microsoft notes. "They steal credentials, screenshots and webcam data, browser and clipboard data, system and network information, and exfiltrate data, often via SMTP Port 587."
Dirk Schrader, global vice president at security firm New Net Technologies, points out: "That the transport sector is now under attack can be explained with the fact that the sector is about to come back to life, so any well-crafted campaign addressing this situation is even better."
Remote Access Trojans
RevengeRAT, also known as Revetrat, was recently linked to a sophisticated Crypter-as-a-Service campaign that delivered the malware as part of a phishing campaign, according to the security firm Morphisec.
In April, security firm Cisco Talos uncovered a phishing campaign that targeted users with Bloomberg BNA-based email messages starting in at least March 2020.
AsyncRAT is an open-source RAT that's designed to remotely monitor and control other computers. The malware is equipped with a keylogger, screen viewer and command execution capabilities. In January, security firm Kaspersky uncovered a hacking campaign using AsyncRAT that targeted private and government entities in Colombia for cyberespionage.
A December 2020 report by security firm Intel471revealed that Chinese underground markets were selling AsyncRAT and other RATs.
A recent report by Deloitte noted that hackers were targeting airlines, which have faced financial difficulties during the COVID-19 pandemic.
In March, Singapore Airlines, Air New Zealand and Malaysia Airlines sustained data breaches after attackers compromised their servers (see: Supply Chain Attack Jolts Airlines).
Chris Verdonck, partner, cyber and strategic risk, at Deloitte, says the aviation sector needs to improve its defense posture. "Adopting a collaborative cyber resilience stance and creating trust between cross-sector organizations, national and supranational authorities is the logical, yet challenging, next step," he says. "However, if the effort is not collective, cyber risks will persist for all."