Microsoft’s Security Intelligence Team has warned those who work in the aviation industry to be on the lookout for malware authors trying to penetrate their networks.

They warn of a sustained and dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers remote access trojans.

The campaign uses emails that spoof legitimate organizations (e.g in this example the Airbus Family Worldwide Symposium), to lure relevant to aviation, travel, or cargo to open an attachment. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the remote access trojan payloads.

The trojans then download additional modules, inject code into processes like RegAsm, InstallUtil, or RevSvcs and then steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and uploads data to the attacker’s servers.

Microsoft is urging those in the affected industry to validate that they have not already been attacked and have published advanced hunting queries that can be used to locate relevant or similar activities, emails, implants, and other indicators of attack in your environment. Network admins can find more detail on those at GitHub here.

via BleepingComputer

Comments