Friday, November 15, 2024
HomeCyber Security NewsHackers Attack Aviation Industry With AsyncRAT to Steal Login Credentials

Hackers Attack Aviation Industry With AsyncRAT to Steal Login Credentials

Published on

Cisco Talos has detected and published a series of malicious campaigns recently along with many other security researchers that are continuously targeting the aviation industry. 

This campaign is continuously targeting the aerospace and travel sectors along with spear-phishing emails that spread an actively exploited loader, and later it also delivers RevengeRAT or AsyncRAT.

The threat actors of this campaign used email spoofing to represent themselves to be legitimate companies in these industries, and an attached “.PDF” file inserted with an enclosed link, that is carrying a malicious VBScript that will later separate the Trojan payloads on a target machine.

- Advertisement - SIEM as a Service

Driven by an Initial Access Broker Boom

The main motive of the threat actors is to steal the credentials and cookies, which the attacker can contribute to more technically savvy cybercriminals. 

However, this kind of threat actors uses them for initial access in much larger attacks that also involved ransomware or business email compromise (BEC).

Here the attackers generally gather access to vulnerable companies and then sell all the data to the highest bidder on the Dark Web. And this kind of data gives rise to a ransomware-as-a-service.

Aviation campaign

After detecting the campaign, the security analysts took it very seriously after a tweet from Microsoft describing new attacks that they have detected using AsyncRAT. 

During the Cisco Talos investigation, they have looked at the domain Microsoft Security Intelligence that is mentioned, kimjoy[.]ddns[.]net. 

There is a brief picture that will help the users to know the several links that are revealed between the campaigns, domains, IPs, and the important point that is being said by the researchers is that the threat actors of all these campaigns might be associated with each other.

Domains used

Here’s the list of domains abused by the operators of this malware campaign:-

  • nextboss[.]ddns[.]net
  • e29rava[.]ddns[.]net
  • frankent2021[.]ddns[.]net
  • shugardaddy[.]ddns[.]net
  • 8970[.]ddns[.]net
  • exchangexe2021[.]ddns[.]net
  • hoc2021[.]ddns[.]net
  • jorigt95[.]ddns[.]net
  • bodmas[.]linkpc[.]net
  • groups[.]us[.]to

Airline Attacks Not Likely to Be Indoctrinated

The co-Founder, and CTO of BreachQuest, Jake Williams said:-

“The cookies and credentials might be the main “gets” for now, there’s an opening for worse attacks down the line in this kind of campaign.”

But, there are many different countries that run nationalized airlines and can profit from internal operations data, that’s why they are effectively learning from the mistakes of their competitors.

Profiling

During the actors profiling three main things are to be kept in mind, that we have mentioned below:-

  • Avatars and Pseudonyms
  • Geographical location
  • Social profiles

There are several threat actors, that might have some limited technical information but they are still capable to operate RATs or information-stealers, pretending to be a significant risk to large companies.

So, these kinds of small operations manage to fly under the radar, and even after publication, the threat actors who are behind them won’t stop their activity.

You can found the complete IOC list here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for...

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin,...

CISA Warns of Actors Exploiting Two Palo Alto Networks Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added...

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for...

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin,...

CISA Warns of Actors Exploiting Two Palo Alto Networks Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added...