Posted on 05/13/2021 7:22:23 AM PDT by ShadowAce
Microsoft has issued an alert over a remote access tool (RAT) dubbed RevengeRAT that it says has been used to target aerospace and travel sectors with spear-phishing emails.
RevengeRAT, also known as AsyncRAT, is being distributed via carefully crafted email messages that prompt employees to open a file masquerading as an Adobe PDF file attachment that in fact downloads a malicious visual basic (VB) file.
Security firm Morphisec recently flagged the two RATs as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families.
SEE: Network security policy (TechRepublic Premium)
According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla.
"The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads," Microsoft said.
Morphisec named the cryptor service "Snip3" based on a username taken from the malware it found across earlier variants.
Snip3 has been configured to not load a RAT if it detects it's being executed within the Windows Sandbox – a virtual machine security feature Microsoft introduced in 2018. The Windows Sandbox is meant to allow advanced users to run potentially malicious executables within a safe sandbox that won't affect the host operating system.
"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments," Morphisec notes.
"If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload."
But if the RATs are installed, they connect to a command and control (C2) server and download more malware from paste sites like pastebin.com.
They're not good to find on any system, as the RATs are known to steal credentials, video and images from a webcam and anything that's been copied to the system clipboard for pasting elsewhere.
"The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites," Microsoft Security Intelligence said.
"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587."
Microsoft has published on GitHub some advanced hunting queries that security teams can use if they detect these threats on their network.
SEE: Ransomware just got very real. And it's likely to get worse
It's open-sourced threat-intelligence information to date includes keywords linked to Spin3 phishing emails that target the aviation sector as well as a query that looks for a function call to a method named DetectSandboxie.
"This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past with other malware, such as WannaCry and QuasarRAT," Microsoft notes.
WannaCry ransomware spread rapidly across the world in mid-2017 and was attributed to North Korean hackers. QuasarRAT was used in 2018 to steal credentials from the Ukrainian government.
Odd, that’s what the government does..................
I think I received an e-mail with this a few days ago. Since I didn’t know the sender I deleted it without opening the pdf attachment.
Ping.
Are they warning us about Google? Isn’t that a bit late?
That’s a great practice.
additional info in your earlier thread “New DNS vulnerabilities have the potential to impact millions of devices”
https://freerepublic.com/focus/chat/3950499/posts
And the name of it is Windows10
What, hypothetically, would need to happen before people started to recognize use of Microsoft software in critical applications as a national security risk? Oh, I don’t know, pipelines, for example.
I'm fairly certain no one is coming to my door to evict me from my home and property.
I will die as an owner.
IF my stolen data is used in an election plot ... I'm not alone and it will never be repaired .. (Look at 2020 and now the Arizona re-count)
NO, imo ... the credit scam fear is another rarely devastating (I'm sure there are some) event that gets more ink and air than what it deserves.
Thanks to Army Air Corps for the ping!
I get weird emails from people I don’t know telling me they know my Paypal, eBay, Amazon, whatever account or credit card has been ‘hacked’.................I don’t have any of those........
Ignore/discard all such emails. They’re phishing.
I do. Their English is the dead giveaway.................
We also get the scam phone calls. They freak my wife out.............
Yep I do too.
But I figure, it beats heck out of random door-to-door salesmen.
Get the scam phone calls, that is. Not freak out. I'm WAY past the freakout point, nothing phases me.
If I don’t know the sender, I also delete any attachments. Or Norton 360 Premium and/ or MalwareBytes Premium sniffs it and quarantines it for me.
We get those too, college age kids selling magazine subscriptions, solar panel salesmen, lawn services, Jehovah’s Witnesses, Mormon missionaries, etc!...................
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.