Security News > 2021 > May > Microsoft Warns of Attacks on Aerospace, Travel Sectors
Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans and other types of malware, Microsoft warns.
The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.
The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery of RATs.
The final payload in these attacks is typically RevengeRAT or AsyncRAT, but additional payloads were observed as well, including Agent Tesla and NetWire RAT. The main purpose of the attacks appears to be data harvesting and exfiltration.
"The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites," Microsoft says.
"They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587," the tech giant also notes.