Malware attack on aviation sector uncovered after going unnoticed for 2 Years

A targeted phishing campaign aimed at the aviation industry for two years may be spearheaded by a threat actor operating out of Nigeria, highlighting how attackers can carry out small-scale cyber offensives for extended periods of time while staying under the radar.

Researchers at Cisco Talos dubbed the malware attacks “Operation Layover,” building on previous research from the Microsoft Security Intelligence team in May 2021 that delved into a “dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.”  They also found that the actor buys the crypters that allow the usage of such malware without being detected, which they believe were mostly purchased through malicious forums.

“The actor […] doesn’t seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware,” researchers Tiago Pereira and Vitor Ventura said. “The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.”

The attacks involve emails containing specific lure documents centred around the aviation or cargo industry that purport to be PDF files but link to a VBScript file hosted on Google Drive, which ultimately leads to the delivery of remote access trojans (RATs) like AsyncRAT and njRAT, leaving organizations vulnerable to an array of security risks.

“Many actors can have limited technical knowledge but still be able to operate RATs or information-stealers, posing a significant risk to large corporations given the right conditions,” the researchers said. “In this case, […] what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry with off-the-shelf malware disguised with different crypters.”

While this campaign was simplistic in its operation, it highlights how lower-level actors can pass under the radar for an extended period using “off the shelf-tools”. This report also shows some of the OSINT techniques used by researchers to reveal the extent of the operation.

New-school security awareness training with realistic simulated phishing emails can enable your employees to thwart these phishing attacks.

With thanks to the Cyber Defence Alliance and The Hacker News. The full story is here: https://thehackernews.com/2021/09/malware-attack-on-aviation-sector.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Here’s how it works:

• Immediately start your test for up to 100 users (no need to talk to anyone)
• Select from 20+ languages and customize the phishing test template based on your environment
• Choose the landing page your users see after they click
• Show users which red flags they missed, or a 404 page
• Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
• See how your organization compares to others in your industry

PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW