Microsoft has warned of a cyber-campaign in which cybercriminals target aerospace and tourism organizations with spear phishing. An interesting feature of these attacks is the use of a new loader that delivers Trojans (RAT) to victim computers.

Microsoft has been monitoring threat actors for the past few months. PDF documents are used as a lures that are allegedly directly related to the activities of organizations in the aerospace, tourism and industrial sectors.

As the specialists found out during the research, the main goal of the attackers was to steal important data from compromised devices. For this, RAT malware is used that can record keystrokes (keylogger) and steal employee passwords.

In addition, Trojan operators can take screenshots, record video with a webcam, monitor the clipboard and browser, and analyze information about the system. All information is sent via SMTP port 587.

The new loader was named Snip3 and is responsible for installing the following malware on the system: Revenge RAT, AsyncRAT, Agent Tesla and NetWire RAT. At first VBS files are installed, then they drop PowerShell script.

At the same time, Snip3 has the ability to distinguish sandboxing and virtual environments, making it capable of bypassing detection and analyzing.

Source: anti-malware.ru