Morphisec cybersecurity experts: The malware, written in .NET, is delivered through MSI installer and thwarts online AV scanners.
Microsoft: Snip3 is a new malware exploited to target aerospace and travel sectors. The vectors are spear-phishing emails. It then delivers RevengeRAT or AsyncRAT for data theft, and other payloads as Agent Tesla to exfliltrate it
Snip3 is a new malware exploited by cyber espionage actors to target the aerospace and travel sectors with spear-phishing emails. It then delivers RevengeRAT or AsyncRAT in the infected machines. It has been discovered by Microsoft cybersecurity experts. Attackers use the remote access Trojans for data theft, follow-on activity, and additional payloads, including Agent Tesla, which they use for data exfiltration. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.
The cybersecurity experts: The RATs steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587
According the cybersecurity researchers, the RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites. The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.