Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.
The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.
The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery of RATs.
Last week, security researchers with endpoint security solutions provider Morphisec revealed that, once the victim clicks on the link, a VBScript is fetched, which in turn drops a second-stage PowerShell script in charge of evading detection and dropping the final payload.
Snip3 is still under active development, with Morphisec identifying roughly a dozen versions over the course of several months.
The final payload in these attacks is typically RevengeRAT or AsyncRAT, but additional payloads were observed as well, including Agent Tesla and NetWire RAT. The main purpose of the attacks appears to be data harvesting and exfiltration.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft says.
On the compromised systems, the Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs, and Microsoft explains that they continuously re-run the components until the process injection is successful.
“They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587,” the tech giant also notes.