Posted on May 13, 2021 at 5:42 PM
Microsoft open source tools have detected a new Trojan malware targeted to the cargo, travel, and aviation sectors.
The remote access tool (RAT), also known as RevengeRAT, is siphoning sensitive data from users through phishing emails. The attackers are using emails that have been creatively crafted to prompt employees in the travel sectors to open certain files. The file is disguised as an Adobe PDF file, and once downloaded, it loads a malicious visual basic file into the system.
How the malware works
The phishing emails send a loader that implements the RevengeRAT or the AsyncRAT malware.
Microsoft said that “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.”
According to Morphisec, the new cryptor service is dubbed ‘Snip3’ based on a username extracted from different malware variants. Snip3 has been configured so that once it notices its execution on the Windows Sandbox, the RAT will not load.
The Windows Sandbox allows advanced users to execute malicious software within a safety net. This is done in a manner that will not affect the operations of the host system.
“If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments,” said Morphisec.
Morphisec added that “If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.”
Steals sensitive information
Once the RATs are installed into the computer system, they link to a command and control (c2) server. Once this is done, additional malware will be added to your operating system from past sites such as pastebin.com.
RATs are very harmful to computer systems. The malware steals user credentials as week as images and videos from a webcam. It will also retrieve details that have been copied from your clipboard and paste the information on another platform.
The Microsoft Security Intelligence said that “The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.”
“The Trojans continuously re-run components until they can inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587,” Microsoft added.
Microsoft has listed in GitHub some strategies for security personnel to detect any malware on their network to enhance online security.
Microsoft picked intelligence information using the stated strategies pointing to Spin3 phishing emails targeted to the travel and aviation sectors.
“This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past with other malware, such as WannaCry and QuasarRAT,” Microsoft added.
The WannaCry ransomware was detected in 2017 and quickly spread across the world. Threat actors from North Korea created the malware. The QuasarRAT malware was detected in 2018, and it was used to steal private information from the Ukrainian government.