The tech giant has warned that the aviation and travel industry is seeing a notable increase in RAT (Remote Access Trojan) cyberattack efforts through phishing emails.

A thread of information was posted by the Microsoft Security Intelligence team on their official Twitter page. The company discusses the attack, how it works, and the forms the malware can take.

At first, the scammer sends a phishing email that encourages the victim to download an infected file. If the victim complies, the virus installs either RevengeRAT or AsyncRAT onto the target’s PC through a newly-discovered loader dubbed Snip3 by Morphisec researchers.

Similar to other forms of malware, Remote Access Trojans are usually attached to what appear to be legitimate files, such as emails or pre-installed software. However, it has recently been observed that these dangerous threat actors are quickly changing operating techniques when their methods are discovered and publicly exposed.

Whichever RAT the malware installs, the goal remains the same. Both RevengeRAT and AsyncRAT are Trojans that install programs to gather browser data, steal credentials, webcam data, screenshots, and essential stats about the system and network.

The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.


What really makes a RAT particularly dangerous is the fact that it can imitate trustworthy remote access apps. You won’t know it’s there once they have been installed as it doesn’t appear in a list of active programs or running processes. Why? Because it’s more advantageous for hackers to keep out of the limelight and avoid being caught.

The emails shown by Microsoft are even more complex. The first one is composed as a cargo charter request, asking the user to give a price quote for over 1000 boxes of medical kits, while linking a RAT-infected file to send back.

malware phishing email heimdal security

Image Source: Twitter

The second email is a fake invite to an Airbus Family Symposium, promising to “provide you with an operational overview of what has been done to support all Airbus fleet in January 2021 to April 2021 through various virtual sessions and conferences.” Attached to the email is a corrupted PDF with the “global agenda details.”

Image Source: Twitter

These attacks are less against the general public and more to gather sensitive data from the aviation industry.

The damage Remote Access Trojans are capable of causing is directly proportional to the cleverness of the attacker behind them. A RAT is never good news, therefore it is of utmost importance to protect your systems against them.

What you should know is that our Heimdal™ Threat Prevention solution is compatible with any antivirus product available on the market that will block threats at their root. An anti-malware solution isn’t meant to replace your antivirus product, but complement it, so you can benefit from multiple layers of protection to better fight against malware and ransomware. With both software products installed, more security gaps are closed and you can enhance online safety.

Ficker Malware Spread Via Websites Impersonating Microsoft Store and Spotify

What is a Remote Access Trojan (RAT)?

ObliqueRAT Infiltrates into Victims’ Endpoints Using Malicious Documents

15 Warning Signs that Your Computer is Malware-Infected

Leave a Reply

Your email address will not be published. Required fields are marked *