Click to Skip Ad
Closing in...

Beware: This new malware can steal your passwords and hijack your webcam

Published May 18th, 2021 9:00AM EDT
Cybersecurity news
Image: knowhowfootage/Adobe

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Cybersecurity news has been dominated in recent days by the fallout from the Russian ransomware gang you’ve no doubt heard about by now, the one that hacked the IT network of a major US fuel pipeline and sent US national security officials scrambling. We will be reeling from the effects of this attack, one way or another, for a long time to come, while there is still a slew of additional new threats and cybersecurity news keeping security professionals on multiple fronts.

Microsoft in recent days sent out an alert about one such threat — a remote access tool called RevengeRAT that Microsoft appears to be targeting the aerospace and travel industries with spear-phishing emails. This particular threat is delivered via an email designed to fool the recipient into thinking it’s genuine and thus opening it, along with an attached Adobe PDF file that goes on to download a malicious file.

Microsoft goes on to explain that attackers use these kinds of remote access Trojans for everything from data theft to follow-on activity, as well as the delivery of additional attack payloads that are used for data exfiltration. “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo,” explains Microsoft in a series of tweets about this threat. “An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.”

These kinds of Trojans steal content like user login credentials as well as webcam images, along with anything that the system clipboard has been used to copy. Another point to note, the malicious executable content at the center of this threat campaign is a loader called Snip3. Security firm Morphisec has also pointed out another feature of Snip3 — that if “the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments” and it identifies one of those virtual machine environments, the script terminates without loading the Trojan.

The method used to get this attack running, by the way, remains incredibly popular among hackers, partly because of how easy it is to trick at least one person within an organization or enterprise to click on a file from a dodgy email that has been dressed up to appear genuine. I’ve also read some unconfirmed reports that a sketchy email with a malicious file attached may have been what kicked off the Colonial Pipeline attack in recent days, which allowed the DarkSide ransomware gang to steal some 100GB of files from the pipeline company’s IT network and then lock that network down until a nearly $5 million ransom was paid.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.