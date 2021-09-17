



Researchers have unmasked a long campaign against the aviation industry, starting with Microsoft’s analysis of a Trojan horse. On May 11, Microsoft Security Intelligence released a Twitter feed describing a campaign targeting the “aerospace and travel industries with phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT”. The operator of this campaign used email spoofing to pretend to be legitimate organizations in these industries, and an attached .PDF file included an embedded link, containing malicious VBScript that would then drop Trojan payloads. on a target machine. According to Microsoft, the malware was used to spy on victims as well as to exfiltrate data, including credentials, screenshots, clipboard, and webcam data. Microsoft’s security team monitored the campaign, and now Cisco Talos has also contributed its findings on the operation. Cisco Talos researchers Tiago Pereira and Vitor Ventura published a blog post Thursday, documenting the program, dubbed “Operation Layover,” which is now linked to an active player since at least 2013 – and has been targeting aviation for at least two years. In addition to Microsoft’s investigation, the cybersecurity firm has made connections between this threatening actor and campaigns against other industries, spanning the past five years. When it comes to aerial targets, the sample emails with malicious PDF files were very similar to those obtained by Microsoft. The .PDF emails and attachments are aviation themed, with mentions of travel itineraries, flight routes, private jets, quotes, charter requests, details on freight, etc. Based on passive DNS telemetry, the team believes the threat actor is located in Nigeria, as 73% of IP addresses connected to hosts, domains, and attacks in general are from that country. Nicknames appear to include the nickname “Nassief2018” on hacking forums, as well as the nicknames “bodmas” and “kimjoy”. The cybercriminal started out using CyberGate malware and does not appear to have gone beyond commercially available code since. The threatening actor has also been linked To encrypt purchases from online forums, email addresses and phone numbers, although these results have not been verified. CyberGate has since been replaced by AsyncRAT in recent campaigns, with over 50 samples detected that communicate with a command and control (C2) server used by the threat actor. To date, eight other areas related to AsyncRAT deployment have been detected, the majority of which were registered in 2021. RevengeRAT and AsyncRAT, however, are not the only brands of malware used. An area spotted by the team also indicates that the operator is using a variant of njRAT in cyber attacks. “Actors who perform smaller attacks may continue to do them for a long time under the radar,” says Cisco Talos. “However, their activities can lead to major incidents in large organizations. These are the players who fuel the underground market for identifiers and cookies, which can then be used by larger groups for activities like big game hunting. ” Prior and related coverage Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0

