Microsoft Issues Warning for New RAT Targeting Industries

Microsoft Security Intelligence published a series of tweets, warning for the spread of a new strain of malware that targets the aerospace and travel industries. The malware in question has been named RevengeRAT.

A RAT or a remote access Trojan is a type of malware that allows bad actors to gain considerable control over an infected system or network. RATs usually include a backdoor component that allows hackers to send commands and execute code on the victim system while staying undetected for as long as possible.

The new RevengeRAT, also called AsyncRAT, is being spread primarily using spear-phishing emails. Spear-phishing is the method of sending malicious mail, masking the email to look as though it was sent from a trusted source, usually someone who the recipient already knows and trusts.

Unlike regular phishing where emails are sent in mass spam campaigns, spear-phishing tends to be a more narrowly targeted approach, focusing on a specific business, organization or entity.

The malicious emails spreading RevengeRAT have an attachment masquerading as an Adobe PDF file, while in reality it is a Visual Basic file, laden with malicious scripts. Once the script is executed, it deploys the RAT payload. The malicious file in the attached file usually abuses legitimate web services and contains a link to the Visual Basic script file.

Security company Morphisec, quoted in Microsoft's tweets, named the loader used in the deployment of RevengeRAT "Snip3". A curious fact about the loader is that it skips the deployment of the remote access Trojan component entirely if it discovers that it is being executed within a Windows Sandbox or another virtual machine environment that can be used as a malware-catching sandbox.

The RevengeRAT has the capability to exfiltrate login credentials, capture screenshots and access webcams and peek into clipboard contents.

Once the RAT has been deployed on the victim's system, it contacts its command and control server, using a dynamic hosting site, and then abused PowerShell and fileless methods to grab and deploy three further payloads from public-facing links on sites such as Pastebin.

The keywords and angle used in the spear-phishing emails used by the bad actors running the current RevengeRAT campaigns are all slanted towards workers in the travel and aerospace sectors, according to Microsoft.

The tweets further noted that Microsoft's Defender can detect the separate components of this malware and react at every stage of the attack.

By Zaib
May 13, 2021
Computer Security
English
May 13, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Android Malware

Remove Sandro RAT

Some malware families tend to be forgotten in time, but the Sandro RAT is not one of them. After it made its first appearance in 2014, it continues to be used to this very day. Its original developers are still... Read more

May 13, 2021
Malware

How to Remove Lime RAT

Lime RAT is a simple Remote Access Trojan (RAT,) which used to be spread with the use of maliciously modified Microsoft Excel documents. While the largest Lime RAT campaign took place in 2020, it is likely that the... Read more

April 21, 2021
How To

How to Uninstall Microsoft Office

Microsoft Office is a hugely popular office suite and Microsoft's most popular software product in recent years, along with the company's Windows 10 platform. Microsoft Office's latest iteration is called Office 365... Read more

February 15, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.