Thursday, March 28, 2024

Hackers Attack Aviation Industry With AsyncRAT to Steal Login Credentials

Cisco Talos has detected and published a series of malicious campaigns recently along with many other security researchers that are continuously targeting the aviation industry. 

This campaign is continuously targeting the aerospace and travel sectors along with spear-phishing emails that spread an actively exploited loader, and later it also delivers RevengeRAT or AsyncRAT.

The threat actors of this campaign used email spoofing to represent themselves to be legitimate companies in these industries, and an attached “.PDF” file inserted with an enclosed link, that is carrying a malicious VBScript that will later separate the Trojan payloads on a target machine.

Driven by an Initial Access Broker Boom

The main motive of the threat actors is to steal the credentials and cookies, which the attacker can contribute to more technically savvy cybercriminals. 

However, this kind of threat actors uses them for initial access in much larger attacks that also involved ransomware or business email compromise (BEC).

Here the attackers generally gather access to vulnerable companies and then sell all the data to the highest bidder on the Dark Web. And this kind of data gives rise to a ransomware-as-a-service.

Aviation campaign

After detecting the campaign, the security analysts took it very seriously after a tweet from Microsoft describing new attacks that they have detected using AsyncRAT. 

During the Cisco Talos investigation, they have looked at the domain Microsoft Security Intelligence that is mentioned, kimjoy[.]ddns[.]net. 

There is a brief picture that will help the users to know the several links that are revealed between the campaigns, domains, IPs, and the important point that is being said by the researchers is that the threat actors of all these campaigns might be associated with each other.

Domains used

Here’s the list of domains abused by the operators of this malware campaign:-

  • nextboss[.]ddns[.]net
  • e29rava[.]ddns[.]net
  • frankent2021[.]ddns[.]net
  • shugardaddy[.]ddns[.]net
  • 8970[.]ddns[.]net
  • exchangexe2021[.]ddns[.]net
  • hoc2021[.]ddns[.]net
  • jorigt95[.]ddns[.]net
  • bodmas[.]linkpc[.]net
  • groups[.]us[.]to

Airline Attacks Not Likely to Be Indoctrinated

The co-Founder, and CTO of BreachQuest, Jake Williams said:-

“The cookies and credentials might be the main “gets” for now, there’s an opening for worse attacks down the line in this kind of campaign.”

But, there are many different countries that run nationalized airlines and can profit from internal operations data, that’s why they are effectively learning from the mistakes of their competitors.

Profiling

During the actors profiling three main things are to be kept in mind, that we have mentioned below:-

  • Avatars and Pseudonyms
  • Geographical location
  • Social profiles

There are several threat actors, that might have some limited technical information but they are still capable to operate RATs or information-stealers, pretending to be a significant risk to large companies.

So, these kinds of small operations manage to fly under the radar, and even after publication, the threat actors who are behind them won’t stop their activity.

You can found the complete IOC list here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles