Threat Actors Target Aviation Firms Via Spear Phishing Campaign
Fortinet researchers discovered a spear-phishing campaign targeting the aviation industry with malicious download links that distribute the AsyncRAT with a well-crafted message. AsyncRAT, also known as remote access tool (RAT) is an open-source, legitimate remote administration tool, which has been used to gather browser data, steal credentials, webcam data, screenshots, and essential details about the system and network.
Threat actors targeted multiple aviation firms by sending phishing emails that appeared to be coming from the federal aviation authority using a spoofed sender address that aligns with a ‘foreign operators affairs’ email address for inquiries/approvals. The email goes through the extra step of having a signature and a logo to impersonate a federal authority.
Attackers have designed the email so carefully that it creates a sense of urgency by resembling it like a Reporting of Safety Incident (ROSI) from Air Traffic Control. In addition, the email contains malicious Google Drive links disguised as a pdf attachment. Most of the emails in this campaign contain the strings ROSI, AOP, Incident Report, as well as the attachment name ‘ROSI-AOP Incident Report Details, ‘.pdf.
The researchers note that all of these emails were sent from an IP address (192.145.239.18) that was previously used in an aviation-themed campaign identified by Morphisec researchers in April and May of 2021 with the majority of victims coming from the UAE, Canada, Argentina, Djibouti, and Fiji.
Security experts have warned that the aviation and travel industry is seeing a notable increase in RAT (Remote Access Trojan) cyber attack efforts through phishing emails. Similar to other forms of malware, Remote Access Trojans are usually attached to what appear to be legitimate files, such as emails or pre-installed software. However, it has recently been observed that these dangerous threat actors are modifying their operating techniques when their methods are identified and publicly exposed.
RAT is particularly dangerous because it can imitate trustworthy remote access apps. Victims won’t know that they have installed RAT as it doesn’t appear in a list of active programs or running processes. These attacks are less against the general public and more to gather sensitive data from the aviation industry.
“The targeting of particular industries is now often pointing to particular malware gangs. Many gangs have become more specialized, targeting a specific industry that they have especially good experience and success in. To increase the chances of getting a potential victim to execute malware, the attacker has to make the social-engineering and phishing attack seem as close to an internal or partner communication as possible. Specializing in a particular industry helps to do this,” Roger Grimes, data analyst at KnowBe4 stated.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.