A cyberattack campaign that goes after aviation targets has been uncovered, which is spreading remote access trojan (RAT) malware bent on cyber-espionage.
Researchers from Microsoft said this week on Twitter that spear-phishing emails are the main attack vector. Individuals in the aerospace and travel sectors are being targeted with a range of gambits, such as using the ruse of needing transportation-charter help.
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel or cargo,” according to Microsoft.
With the subject line of “Contract Standby/Cargo Charter Request,” one version of the emails reads: “Dear On-duty, we are searching for the cargo aircraft to fulfill below contract. Flight shall be operated every day for 5-8 months of continuous operation commencing 15 May, 2021.”
In other cases, the emails purport to invite targets to an official company event, such as this message pretending to be from Airbus:
The emails contain a linked image posing as a PDF file – the embedded link is typically generated with a legitimate web service, according to the tweets, which helps the emails evade security filters.
If the target clicks on the image, a newly discovered loader dubbed Snip3 downloads, which comes in the form of a malicious VBScript. Snip3 in turn fetches the RAT payloads: Either the RevengeRAT or AsyncRAT strains.
RevengeRAT is a commodity malware family that has been used by Iran-linked, espionage-focused threat group APT33 in the past. AsyncRAT meanwhile is an open-source, legitimate remote administration tool, which has been used maliciously by a range of cyber-adversaries. It’s delivered using various methods such as spear-phishing, malvertising, exploit kits and other techniques.
“Attackers use the remote access trojans for data theft, follow-on activity and additional payloads, including Agent Tesla, which they use for data exfiltration,” according to Microsoft. “The trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil or RegSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587.”
Once installed, the RATs connect to a command-and-control (C2) server that’s hosted on a dynamic hosting site to register with the attackers.
“[It] then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft said.
Roger Grimes, data-driven defense evangelist at KnowBe4, said that the campaign shows a new trend in malware gang activity: Specializing in attacking certain vertical sectors beyond financial and government targets.
“The targeting of particular industries is now often pointing to particular malware gangs,” he told Threatpost. “Many gangs have become more specialized, targeting a specific industry that they have especially good experience and success in. To increase the chances of getting a potential victim to execute malware, the attacker has to make the social-engineering and phishing attack seem as close to an internal or partner communication as possible. Specializing in a particular industry helps to do this.”
This sort of “beat assignment” approach allows attackers to get better at their jobs over time as well, he added.
“The attacker, as they gain more and more experience in the industry, starts to not only collect partner names they can use against other trusted partners, but starts to understand the insider terminology and topics that the industry insiders use with each other,” Grimes said. “All-in-all, any time you see a particular industry specifically targeted by a piece of malware or a particular malware gang, it isn’t good. It means they are targeting the industry for a reason and become comfortable with compromising targets within that industry. In this case, it’s aerospace and travel, and that is not good on a bunch of levels.”
Snip3 Loader Brings in the RATs
The bones of this campaign have been observed elsewhere. Morphisec in an earlier analysis last week was the first to break down the loader used in the aviation attacks. It said that it too has seen Snip3 being used to deliver both ASyncRAT or RevengeRAT, “which often come from an open-source RAT platform originally available through the NYANxCAT Github repository.” It didn’t specify the industry targets.
Researchers there, again dovetailing with Microsoft’s observations, also identified a campaign that used Agent Tesla (and another one that used NetWire RAT).
Morphisec described Snip3 as a “highly sophisticated crypter-as-a-service” that’s been used to deliver a wide range of RAT families onto victim machines, starting in February of this year.
Researchers also said that Snip3 implements several functions to bypass detection, including:
- Executing PowerShell code with the ‘remotesigned’ parameter
- Validating the existence of Windows Sandbox and VMWare virtualization
- Using Pastebin and top4top for staging
- Compiling RunPE loaders on the endpoint in runtime
In the first stage of the attack chain, the initially downloaded VBScript begins execution of a second-stage PowerShell script, downloaded from the Pastebin service.
“This script saves that second-stage under \AppData\Local\Temp\SysTray.PS1 and also creates a VBS within the victim’s startup folder that executes it to maintain persistence,” according to Morphisec’s analysis.
The second stage’s PowerShell script seems to be dynamic based on Snip3’s configuration, researchers added. It attempts to detect whether the script has been executed within the Microsoft Sandbox, VMWare, VirtualBox or Sandboxie environments. If the script identifies one of these virtual-machine environments, the script terminates without loading the RAT payload.
“The two main purposes of this stage are to detect virtual environments and enact a reflective load of RunPE to execute the RAT payload within a hollowed Windows process,” according to the analysis.
Once the script is done compiling the RunPE code, the PowerShell loads and executes it along with the RAT payload and the executable path to hollow for injecting the final payload, which is chosen by the cyberattackers. It’s eventually executed within the hollowed process memory.
“Most of this stage’s PowerShells are configured to hollow InstallUtil.exe, although some of them are configured to hollow RegSvcs.exe,” according to Morphisec – which dovetails with what Microsoft is seeing in the aviation campaign.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!