Malware Attack on the Aviation Sector
Reading Time: 2 minutes

Can you believe a malware attack on the aviation sector went unnoticed for 2 years before it was finally uncovered? Threat actors from out of Nigeria were able to launch small-scale cybercrimes for an extended period of time while managing to stay off the radar.

According to Cisco Talos, Operation Layover attacks, building on previous research from the Microsoft Security Intelligence team in May 2021. This further expanded into a “dynamic campaign targeting the aviation industry. The threat actors used spear-phishing emails to distribute an actively developed loader, which then delivered RevengeRAT or AsyncRAT.”

Researchers Tiago Pereira and Vitor Ventura in the blog post said, “The actor […] doesn’t seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.”Malware Attack on the Aviation Sector-1The threat actors have been active since 2013, while the attacks involved emails containing specific lure documents built around the aviation or cardo industry. These were presented as PDF files, but linked to a VBScript file hosted on Google Drive. This would lead to delivering the remote access trojans (RATs) like AsyncRAT and njRAT. Resulting in organizations being vulnerable to an array of security risks. According to Cisco Talos, they discovered 31 aviation-themed lures dating back to August 2018.

The threat actors have been active since 2013, while the attacks involved emails containing specific lure documents built around the aviation or cardo industry. These were presented as PDF files, but linked to a VBScript file hosted on Google Drive. This would lead to delivering the remote access trojans (RATs) like AsyncRAT and njRAT. Resulting in organizations being vulnerable to an array of security risks. According to Cisco Talos, they discovered 31 aviation-themed lures dating back to August 2018.

The threat actors also managed to weave multiple RATs into their campaigns, this was discovered after analyzing through the various domains used in the attacks. Also managing to use the infrastructure as command-and-control (C2) servers for Cybergate RAT, AsyncRAT, and a batch file used as part of a malware chain to download and execute other malware.

The researcher further added, “Many actors can have limited technical knowledge but still be able to operate RATs or information-stealers, posing a significant risk to large corporations given the right conditions. In this case, […] what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry with off-the-shelf malware disguised with different crypters.”

Related Articles:

Netgear Smart Switches Has a Critical Flaw – Details and PoC Released
3 Former U.S. Intelligence Officers Found guilty of Hacking for UAE Company
KrebsOnSecurity Under Meris botnet Attack