Microsoft has issued an alert over a remote access tool (RAT) dubbed RevengeRAT that it says has been used to target aerospace and travel sectors with spear-phishing emails.
RevengeRAT, also known as AsyncRAT, is being distributed via carefully crafted email messages that prompt employees to open a file masquerading as an Adobe PDF file attachment that in fact downloads a malicious visual basic (VB) file.
Security firm Morphisec recently flagged the two RATs as part of a sophisticated Crypter-as-a-Service that delivers multiple RAT families.
SEE: Network security policy (TechRepublic Premium)
According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla.
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.
Morphisec named the cryptor service “Snip3” based on a username taken from the malware it found across earlier variants.
Snip3 has been configured to not load a RAT if it detects it’s being executed within the Windows Sandbox – a virtual machine security feature Microsoft introduced in 2018. The Windows Sandbox is meant to allow advanced users to run potentially malicious executables within a safe sandbox that won’t affect the host operating system.
“If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments,” Morphisec notes.
“If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.”
But if the RATs are installed, they connect to a command and control (C2) server and download more malware from paste sites like pastebin.com.
They’re not good to find on any system, as the RATs are known to steal credentials, video and images from a webcam and anything that’s been copied to the system clipboard for pasting elsewhere.
“The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites,” Microsoft Security Intelligence said.
“The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.”
Microsoft has published on GitHub some advanced hunting queries that security teams can use if they detect these threats on their network.
SEE: Ransomware just got very real. And it’s likely to get worse
It’s open-sourced threat-intelligence information to date includes keywords linked to Spin3 phishing emails that target the aviation sector as well as a query that looks for a function call to a method named DetectSandboxie.
“This method is used in RevengeRAT and AsyncRAT instances involved in a campaign targeting the aviation industry, first observed in 2021. It has also been associated in the past with other malware, such as WannaCry and QuasarRAT,” Microsoft notes.
WannaCry ransomware spread rapidly across the world in mid-2017 and was attributed to North Korean hackers. QuasarRAT was used in 2018 to steal credentials from the Ukrainian government.