Researchers have uncovered a campaign against the aviation sector and tracked it back to Nigeria-based threat actors. Microsoft Intelligence released a series of tweets outlining the campaign, which it determined to target aerospace and travel sectors with spear-phishing emails distributing an actively developed loader. The loader then delivers two different RATs, RevengeRAT or AsyncRAT. Microsoft stated that the campaign’s operator used email spoofing in an attempt to pass as a legitimate organization within the travel industries and an attached file with an embedded link that contained malicious script.
Microsoft stated that the malware was used to spy on victims and exfiltrate data such as credentials, screenshots, clipboards, and webcam data. Microsoft has been actively monitoring the campaign. However, on Thursday, Cisco Talos researchers found a link between the campaign and a Nigerian actor that has been operating since at least 2013 and targeting aviation for the past two. In addition to the information provided by Microsoft’s investigation, Cisco has also found connections between the threat actor and campaigns against other sectors. Pseudonyms allegedly include “Nassief2018” on hacking forums.
Read More: Cyberattacks against the aviation industry linked to Nigerian threat actor