An alert regarding a new spear-phishing malware, dubbed ‘RevengeRAT’, has been recently issued by Microsoft that has been actively targeting aerospace and travel organizations.
Microsoft warns of malicious RevengeRAT:
According to Microsoft, the RevengeRAT, also known as AsyncRAT, is being deployed via spear-phishing emails to the targeted organizations.
The malware apparently distributed itself using precisely crafted emails that inform the victims to open an attachment that appears as an Adobe PDF but in reality, installs a malicious Visual Basic file.
Security organization Morphisec recently detected the two malware as part of a sophisticated Crypter-as-a-Service that deploys numerous RAT families.
Apart from deploying the RevengeRAT via a loader, the security organization has also noted that the spear-phishing emails also deploy the RAT Agent Tesla
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads” provides Microsoft.
The ‘Snip3’ loader:
Morphisec dubs the loader “Snip3” after a username detected in former malware variants, which is seemingly under active development.
Detailing the malicious Snip3, it is particularly architectured to evade loading the RATs when executed in Windows Sandbox.
This feature permits malicious actors to operate potentially malicious files within a safe sandbox that does not interact with the host OS.
This malware acts the same if it detects that it is executed in a virtual machine environment.
RATs i.e. Remote Access Trojans are incredibly dangerous malware that facilitates threat actors to gain administrative control over a targeted system.
Once the RevengeRAT has been installed on a system, it then connects to a C2(command-to-control) server to further install malware and payloads.
The RevengeRAT has the ability to steal user passwords, images, videos, files, documents, and other such sensitive data files and information that can be heavily compromised.