Recently, Microsoft issued an alert about this tool

Microsoft's alert warned users about a remote access tool called RevengeRAT, also known as AsyncRAT. It is being used to target travel and aerospace companies with spear-phishing emails. The emails use social engineering tricks to prompt employees at these types of firms to open a poisoned Adobe PDF attachment which downloads a malicious Visual Basic file on the recipient's machine.

In addition to the Microsoft alert, the security firm Morphisec recently flagged RevengeRAT as being at the center of a highly advanced Crypter-as-a-Service scheme that delivers multiple RAT families. Morphisec has dubbed the Cryptor Service "Snip3."

 

Morphisec had this to say

"If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments. If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload.

The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.

The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587."

Microsoft notes that this basic strategy closely mirrors the one used by WannaCry and QuasarRAT in 2017 and 2018, a clue which may ultimately lead us to identify the attackers.

 

Market segments at peril

Organizations in the aerospace and travel sectors have been targeted in the past months in a campaign aimed at infecting victims with remote access Trojans (RAT) and other types of malware, Microsoft warns.

The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link.

On the compromised systems, the Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs, and Microsoft explains that they continuously re-run the components until the process injection is successful.

“They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrate data often via SMTP Port 587,” the tech giant also notes.

 

My perspective

For their part, Microsoft has published a number of advanced hunting queries that security professionals can use if they detect these threats anywhere on their networks. This is a significant threat. Stay on your guard.

 

As Hill Street Blues' Sgt. Esterhaus advised: "Hey, let's be careful out there!"

 

 


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work@home, and cybersecurity. I work extensively with business and professional associations to provide small business technology education programs.

 

Contact me if you would like me to speak to your association

Used with permission from Article Aggregator