Researchers have unmasked a lengthy campaign against the aviation sector, beginning with the analysis of a Trojan by Microsoft.
On May 11, Microsoft Security Intelligence published a Twitter thread outlining a campaign targeting the “aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.”
The operator of this campaign used email spoofing to pretend to be legitimate organizations in these industries, and an attached .PDF file included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine.
According to Microsoft, the malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data.
Microsoft’s security team has been monitoring the campaign, and now, Cisco Talos has also contributed its findings on the operation.
Cisco Talos researchers Tiago Pereira and Vitor Ventura published a blog post on Thursday documenting the scheme, dubbed “Operation Layover,” which has now been linked to an actor that has been active since at least 2013 — and has been targeting aviation for at least two years.
In addition to Microsoft’s investigation, the cybersecurity company has established connections between this threat actor to campaigns against other sectors, spanning over the past five years.
When it comes to aviation targets, sample emails containing malicious .PDFs were very similar to those obtained by Microsoft. The emails and .PDF attachments are aviation-themed, with mentions of trip itineraries, flight routing, private jets, quotes, charter requests, cargo details, and more.
Based on passive DNS telemetry, the team believes the threat actor is located in Nigeria, due to 73% of IPs connected to hosts, domains, and the attacks at large originate from this country. Pseudonyms appear to include the handle “Nassief2018” on hacking forums, as well as the monikers “bodmas” and “kimjoy.”
The cybercriminal started by using the off-the-shelf CyberGate malware and does not appear to have gone beyond commercially available code since. The threat actor has also been linked to crypter purchases from online forums, email addresses, and phone numbers, although these findings have not been verified.
CyberGate has since been replaced with AsyncRAT in recent campaigns, with over 50 samples detected that are communicating with a command-and-control (C2) server used by the threat actor. As of now, eight more domains linked to AsyncRAT deployment have been detected, the majority of which were registered over 2021.
RevengeRAT and AsyncRAT, however, are not the only brands of malware in use. One domain spotted by the team also indicates that the operator is using a variant of njRAT in cyberattacks.
“Actors that perform smaller attacks can keep doing them for a long period of time under the radar,” Cisco Talos says. “However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like big game hunting.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
