Cybersecurity news has been dominated in recent days by the fallout from the Russian ransomware gang you’ve no doubt heard about by now, the one that hacked the IT network of a major US fuel pipeline and sent US national security officials scrambling. We will be reeling from the effects of this attack, one way or another, for a long time to come, while there is still a slew of additional new threats and cybersecurity news keeping security professionals on multiple fronts.
Microsoft in recent days sent out an alert about one such threat — a remote access tool called RevengeRAT that Microsoft appears to be targeting the aerospace and travel industries with spear-phishing emails. This particular threat is delivered via an email designed to fool the recipient into thinking it’s genuine and thus opening it, along with an attached Adobe PDF file that goes on to download a malicious file.
Microsoft goes on to explain that attackers use these kinds of remote access Trojans for everything from data theft to follow-on activity, as well as the delivery of additional attack payloads that are used for data exfiltration. “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo,” explains Microsoft in a series of tweets about this threat. “An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.”
In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf
— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021
These kinds of Trojans steal content like user login credentials as well as webcam images, along with anything that the system clipboard has been used to copy. Another point to note, the malicious executable content at the center of this threat campaign is a loader called Snip3. Security firm Morphisec has also pointed out another feature of Snip3 — that if “the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments” and it identifies one of those virtual machine environments, the script terminates without loading the Trojan.
The method used to get this attack running, by the way, remains incredibly popular among hackers, partly because of how easy it is to trick at least one person within an organization or enterprise to click on a file from a dodgy email that has been dressed up to appear genuine. I’ve also read some unconfirmed reports that a sketchy email with a malicious file attached may have been what kicked off the Colonial Pipeline attack in recent days, which allowed the DarkSide ransomware gang to steal some 100GB of files from the pipeline company’s IT network and then lock that network down until a nearly $5 million ransom was paid.