The malware is capable of stealing credentials, webcam data, taking screenshots, and other sensitive information from a targeted device.
Microsoft has recently uncovered a spear-phishing campaign targeting aerospace and travel organizations and warns about their multiple remote access trojans (RATs) deployed using a new and stealthy malware loader.
Attackers are using phishing emails to spoof legitimate organizations and further use images to lure the companies into opening documents that seem like PDFs containing info related to several industry sectors, including aviation, travel, and cargo.
As it appears to be, Microsoft noted, this campaign is moving towards achieving an end goal of harvesting and exfiltrating data from infected devices using the RATs’ remote control, keylogging, and password-stealing capabilities.
Once deployed, the malware allows attackers to “steal credentials, screenshots and webcam data, browser and clipboard data, system and network information, and exfiltrate data often via SMTP Port 587.”
Malicious email (Image provided by Microsoft)
What makes this campaign truly different from the others that have been observed in the past is the RAT loader that is employed and designed to bypass detection.
The newly discovered loader monetized under a Crypter-as-a-Service model, named Snip3 by Morphisec malware analysts, is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems.
Links abusing legitimate web services and embedded within the phishing messages download the first-stage VBScript VBS files that execute a second-stage PowerShell script which in turn executes the final RAT payload using Process Hollowing.
If you are an employee responsible for your company’s IT infrastructure watch out for this campaign as malicious emails sent by cybercriminals look authentic enough to trick recipients into clicking attachment and infecting their system with malware.