Thursday, December 5, 2024
HomeCyber Security NewsHackers Attack Aviation Industry With AsyncRAT to Steal Login Credentials

Hackers Attack Aviation Industry With AsyncRAT to Steal Login Credentials

Published on

SIEM as a Service

Cisco Talos has detected and published a series of malicious campaigns recently along with many other security researchers that are continuously targeting the aviation industry. 

This campaign is continuously targeting the aerospace and travel sectors along with spear-phishing emails that spread an actively exploited loader, and later it also delivers RevengeRAT or AsyncRAT.

The threat actors of this campaign used email spoofing to represent themselves to be legitimate companies in these industries, and an attached “.PDF” file inserted with an enclosed link, that is carrying a malicious VBScript that will later separate the Trojan payloads on a target machine.

- Advertisement - SIEM as a Service

Driven by an Initial Access Broker Boom

The main motive of the threat actors is to steal the credentials and cookies, which the attacker can contribute to more technically savvy cybercriminals. 

However, this kind of threat actors uses them for initial access in much larger attacks that also involved ransomware or business email compromise (BEC).

Here the attackers generally gather access to vulnerable companies and then sell all the data to the highest bidder on the Dark Web. And this kind of data gives rise to a ransomware-as-a-service.

Aviation campaign

After detecting the campaign, the security analysts took it very seriously after a tweet from Microsoft describing new attacks that they have detected using AsyncRAT. 

During the Cisco Talos investigation, they have looked at the domain Microsoft Security Intelligence that is mentioned, kimjoy[.]ddns[.]net. 

There is a brief picture that will help the users to know the several links that are revealed between the campaigns, domains, IPs, and the important point that is being said by the researchers is that the threat actors of all these campaigns might be associated with each other.

Domains used

Here’s the list of domains abused by the operators of this malware campaign:-

  • nextboss[.]ddns[.]net
  • e29rava[.]ddns[.]net
  • frankent2021[.]ddns[.]net
  • shugardaddy[.]ddns[.]net
  • 8970[.]ddns[.]net
  • exchangexe2021[.]ddns[.]net
  • hoc2021[.]ddns[.]net
  • jorigt95[.]ddns[.]net
  • bodmas[.]linkpc[.]net
  • groups[.]us[.]to

Airline Attacks Not Likely to Be Indoctrinated

The co-Founder, and CTO of BreachQuest, Jake Williams said:-

“The cookies and credentials might be the main “gets” for now, there’s an opening for worse attacks down the line in this kind of campaign.”

But, there are many different countries that run nationalized airlines and can profit from internal operations data, that’s why they are effectively learning from the mistakes of their competitors.

Profiling

During the actors profiling three main things are to be kept in mind, that we have mentioned below:-

  • Avatars and Pseudonyms
  • Geographical location
  • Social profiles

There are several threat actors, that might have some limited technical information but they are still capable to operate RATs or information-stealers, pretending to be a significant risk to large companies.

So, these kinds of small operations manage to fly under the radar, and even after publication, the threat actors who are behind them won’t stop their activity.

You can found the complete IOC list here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...