Cisco Talos has detected and published a series of malicious campaigns recently along with many other security researchers that are continuously targeting the aviation industry.
This campaign is continuously targeting the aerospace and travel sectors along with spear-phishing emails that spread an actively exploited loader, and later it also delivers RevengeRAT or AsyncRAT.
The threat actors of this campaign used email spoofing to represent themselves to be legitimate companies in these industries, and an attached “.PDF” file inserted with an enclosed link, that is carrying a malicious VBScript that will later separate the Trojan payloads on a target machine.
Driven by an Initial Access Broker Boom
The main motive of the threat actors is to steal the credentials and cookies, which the attacker can contribute to more technically savvy cybercriminals.
However, this kind of threat actors uses them for initial access in much larger attacks that also involved ransomware or business email compromise (BEC).
Here the attackers generally gather access to vulnerable companies and then sell all the data to the highest bidder on the Dark Web. And this kind of data gives rise to a ransomware-as-a-service.
Aviation campaign
After detecting the campaign, the security analysts took it very seriously after a tweet from Microsoft describing new attacks that they have detected using AsyncRAT.
During the Cisco Talos investigation, they have looked at the domain Microsoft Security Intelligence that is mentioned, kimjoy[.]ddns[.]net.
There is a brief picture that will help the users to know the several links that are revealed between the campaigns, domains, IPs, and the important point that is being said by the researchers is that the threat actors of all these campaigns might be associated with each other.
Domains used
Here’s the list of domains abused by the operators of this malware campaign:-
- nextboss[.]ddns[.]net
- e29rava[.]ddns[.]net
- frankent2021[.]ddns[.]net
- shugardaddy[.]ddns[.]net
- 8970[.]ddns[.]net
- exchangexe2021[.]ddns[.]net
- hoc2021[.]ddns[.]net
- jorigt95[.]ddns[.]net
- bodmas[.]linkpc[.]net
- groups[.]us[.]to
Airline Attacks Not Likely to Be Indoctrinated
The co-Founder, and CTO of BreachQuest, Jake Williams said:-
“The cookies and credentials might be the main “gets” for now, there’s an opening for worse attacks down the line in this kind of campaign.”
But, there are many different countries that run nationalized airlines and can profit from internal operations data, that’s why they are effectively learning from the mistakes of their competitors.
Profiling
During the actors profiling three main things are to be kept in mind, that we have mentioned below:-
- Avatars and Pseudonyms
- Geographical location
- Social profiles
There are several threat actors, that might have some limited technical information but they are still capable to operate RATs or information-stealers, pretending to be a significant risk to large companies.
So, these kinds of small operations manage to fly under the radar, and even after publication, the threat actors who are behind them won’t stop their activity.
You can found the complete IOC list here.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates