Microsoft released a warning on May 13, 2021, about an access control mechanism known as RevengeRAT. It claims it was being used to send spear-phishing emails to the aviation and transportation industries.
The well-known company informs the consumer concerning RevengeRAT, also known as AsyncRAT. According to reports, the ransomware is spread by specially designed email communications that instruct workers to share information and knowledge that appears to be an Adobe PDF file but instead installs a fraudulent Visual Basic document.
The phishing attacks, as per Microsoft, transmit a compressor that produces RevengeRAT or AsyncRAT. Morphisec claims to be able to supply the RAT Agent Tesla as well.
Microsoft representative said, “The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.”
Private security firm Morphisec recently identified the two RATs as a component of an advanced Crypter-as-a-Service that offers several RAT groups. Morphisec called the cryptor product "Snip3" after a code it discovered in earlier malicious software.
If Snip3 senses that a RAT is being executed on the inside of the Windows Sandbox, a virtualized protection technology Microsoft launched in 2018 – it will not launch it. Advanced users can use the Windows Sandbox to run malicious software compiled code in a secure environment that won't harm the server processor.
Morphisec said, "If configured by [the attacker], the PowerShell implements functions that attempt to detect if the script is executed within Microsoft Sandbox, VMWare, VirtualBox, or Sandboxie environments."
"If the script identifies one of those virtual machine environments, the script terminates without loading the RAT payload," they added.
If the RATs are mounted, they bind to a command structure server and access more ransomware from pastebin.com and other similar pages.
The RATs are suspected to rob credentials, pictures, and video from a camera. Everything is saved to the server clipboard for inserting anywhere, so they're not essential to find on any device.
According to Microsoft Security Intelligence, "The RATs connect to a C2 server hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin.com or similar sites."
"The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587," they added.
