Spearphishing Campaign Targets Aerospace & Travel Sectors

Summary

Microsoft Security Intelligence discovered a spearphishing campaign targeting aerospace and travel organizations with multiple remote access trojans (RATs). Threat actors are spoofing legitimate organizations in emails and using lures associated with aviation, travel, or cargo. An image purporting to be a PDF file contains an embedded link that, if clicked, downloads a malicious VBScript, and drops the RAT payloads. These RATs are designed to harvest and exfiltrate data via SMTP Port 587, including credentials, screenshots, webcam data, browser and clipboard data, and system and network info.

Recommendations

The NJCCIC encourages users to educate themselves and others on these continuing threats and tactics employed by threat actors in order to reduce victimization. Users are advised to look for signs of spoofing, refrain from clicking on links and attachments from unknown or unverified senders, confirm the legitimacy of a request via an alternate means of communication before taking action, navigate directly to official websites, and exercise caution when divulging sensitive information. More information can be found in Microsoft Security Intelligence’s Twitter thread and Bleeping Computer article.