Malware, Phishing

RevengeRAT and AysncRAT target aerospace and travel sectors

MIAMI, FLORIDA – DECEMBER 29: American Airlines flight 718, a Boeing 737 Max, is seen parked at its gate at Miami International Airport as passengers board for the flight to New York on December 29, 2020 in Miami, Florida. The Boeing 737 Max flew its first commercial flight since the aircraft was allowed to return to service nearly two years ...

Microsoft Security Intelligence earlier this week tweeted out that it has been tracking a campaign of remote access trojans (RATs) targeting the aerospace and travel industries with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AysncRAT.

As part of the tweet exchange it was pointed out that attackers use the RATs for data theft, follow-on activity and additional payloads, including Agent Tesla, which they use for data exfiltration. The loader is under active development and is dubbed Snip3 by Morphisec.

These campaigns come as no surprise, especially as we exit lockdown and people are traveling again, making the travel industry a highly-lucrative target, said Chris Morales, chief information security officer at Netenrich.

“The level of targeting is also a reason why it’s so hard to detect attacks,” Morales said. “They change and are tailored. SecOps has to align to with threats targeting their organizations specifically and not look for generic threats.”

Dirk Schrader, global vice president, security research, at New Net Technologies, said he expects to see sector-oriented spear-phishing campaigns as we come out of the pandemic.

“Using familiar language and terminology can help in the effectiveness of a targeted campaign,” Schrader said. “It’s not shocking that attackers are targeting the transport sector as the sector is about to come back to life. Therefore, a well-crafted campaign addressing this situation is even better."

Roger Grimes, data driven defense evangelist at KnowBe4, added that when the attackers break into one industry firm, they can read their emails and use the newly compromised place as a “cyberhaven” to attack their partners.

“The emails come from people and email addresses the new victims trust, using email subject threads they have participated in,” Grimes said. “So, when the request to click on a link or open a document comes unexpectedly, there’s a far higher chance that the new victim will fall for the scam. That’s why all employees need to learn that phishing emails could come from people they know and trust, and simply relying on an email address, whether they recognize it or not, isn’t a enough.”

Grimes said security awareness training should teach users to beware of emails with the following traits:

  • Emails that arrive unexpectedly.
  • An email that asks users to do something brand new the sender has never asked them to do before.
  • The action could be harmful to their or their organization’s own best interest.

“If any two of those traits are present, the recipient should slow down, stop, think and verify the request another way, like calling the person on a predefined phone number,” Grimes said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.