skip to Main Content

Cyber Espionage, Snip3 is a new malware exploited to target aerospace and travel sectors

Microsoft: Snip3 is a new malware exploited to target aerospace and travel sectors. The vectors are spear-phishing emails. It then delivers RevengeRAT or AsyncRAT for data theft, and other payloads as Agent Tesla to exfliltrate it

Snip3 is a new malware exploited by cyber espionage actors to target the aerospace and travel sectors with spear-phishing emails. It then delivers RevengeRAT or AsyncRAT in the infected machines. It has been discovered by Microsoft cybersecurity experts. Attackers use the remote access Trojans for data theft, follow-on activity, and additional payloads, including Agent Tesla, which they use for data exfiltration. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.

The cybersecurity experts: The RATs steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587

According the cybersecurity researchers, the RATs connect to a C2 server on hosted on a dynamic hosting site to register with the attackers, and then uses a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites. The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587.

Back To Top