# Spear Phishing Campaign with New Techniques Aimed at Aviation Companies

**[fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies](https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies)**

June 27, 2021

Threat Research

By [Gayathri Thirugnanasambandam | June 27, 2021](https://www.fortinet.com/blog/search?author=Gayathri+Thirugnanasambandam)

**[FortiGuard Labs Threat Research Report](https://www.fortinet.com/fortiguard/labs.html?utm_source=blog&utm_medium=campaign&utm_campaign=FortiGuardLabs)**

**Affected platforms: Microsoft Windows**

**Impacted parties: Windows Users**

**Impact: Obtain sensitive data from the victim's device and deliver additional malware**

**Severity level: Critical**

## Introduction to the Spear Phishing Campaign


-----

As we are all aware, spear phishing attacks are far more successful than untargeted ones
and are most difficult to detect. The [FortiGuard Labs team has identified yet another spear](https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_campaign=fortiguard-labs)
phishing campaign, this one targeting aviation companies. In this campaign, a malicious link
that distributes an AsyncRAT payload is sent to aviation companies with a well-crafted
message. AsyncRAT, an open-source remote administration tool, is used to steal credentials
and other sensitive data. It also includes the capability to upload and download files on the
compromised machine. This blog highlights the various stages of this spear phishing
campaign and its newly adapted techniques.

## Spear Phishing Campaign Overview

[The infection cycle begins with phishing emails sent to aviation companies that contain](https://www.fortinet.com/resources/cyberglossary/phishing?utm_source=blog&utm_campaign=phishing)
malicious links disguised as pdf attachments. The link in the email directs the user to VB
Script hosting sites, from which the initial payload (.vbs) is delivered. The .vbs script then
drops the second stage payload, an xml file containing inline C# .NET assembly code that
acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the
victim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2
server, takes control of the compromised machine, and introduces additional payload. I will
now dive into each of these steps in a bit more detail.

Figure 1: Infection cycle of the spear phishing campaign

## Spear Phishing Email

[Spear phishing is a highly targeted attack resulting from extensive research on targeted](https://www.fortinet.com/resources/cyberglossary/spear-phishing?utm_source=blog&utm_campaign=spear-phishing)
users and their organizations conducted by threat actors. The phishing emails observed in
this campaign were sent to multiple aviation companies. They all appear to be coming from
the federal aviation authority using a spoofed sender address that matches with a “foreign
operators affairs” email address for enquiries/approvals. The email goes through the extra
step of having a signature and a logo to impersonate a federal authority. Also, the content is
carefully crafted to create a sense of urgency by making it to look like a Reporting of Safety
Incident (ROSI) from Air Traffic Control. In addition, the email contains malicious Google
Drive links disguised as a pdf attachment. Most of the emails in this campaign contain the
strings ROSI, AOP, Incident Report, as well as the attachment name “ROSI-AOP Incident
Report Details, <date>”.pdf.

[(See Mitre ATT&CK technique – Spearphishing Link.)](https://attack.mitre.org/techniques/T1566/002/)

Figure 2: Spear Phishing Email sent to an aviation company

As of the time of writing this blog, these emails had not been flagged as phishing or
suspicious by any of the VirusTotal engines.

Figure 3: VT detections for the emails


-----

The IP address 192.145.239.18 is used to send all the emails in this campaign. This IP
[address is also associated with Snip3 Crypter, an aviation-themed campaign seen in April](https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader)
and May of 2021. A three-month review of its telemetry reveals a spike in the last few weeks,
with the majority of visitors coming from the UAE, Canada, Argentina, Djibouti, and Fiji.

Figure 4: Statistics for IP v4 address 192.145.239.18

## Visual Basic Script (VBS) /Wscript

When you click on the link (the fake pdf attachment), the user’s default browser is launched
and directed to a VB Script hosting site. This site delivers the initial payload (.vbs), which,
once executed, drops subsequent payloads and establishes persistence.

The VB script “ROSI-AOP Incident Report Details,May 31st.vbs“ contains the next stage
payload, “Good.xml”. This payload is encoded using Server.URLEncode() and obfuscated to
evade detection. Antonin Foller's VBS decode function from PSTRUH Software
[(http://www.motobit.com) is used to decrypt the payload. After decryption, "Good.xml" is](http://www.motobit.com/)
written to the victim's Temp directory, where it is launched using MSBuild.exe. If you’re not
aware of this executable, it is present on all Windows machines with the .NET framework
installed. It’s a trusted developer utility used to speed up the process of creating .NET
applications. Because it is a trusted utility, adversaries use the tool in an effort to evade
detection. (See Mitre ATT&CK technique – Trusted Developer Utilities Proxy Execution:
MSBuild.)

In the script below, the payload bytes are first substituted for de-obfuscation, then decoded
before being written to the Temp directory.

Figure 5: Initial Payload VB script with encoded payload bytes

## XML

Once the VB script executes successfully, the Good.xml file, which contains inline C#
assembly code, a loader dll, and the RAT payload, is dropped into the victim's Temp
directory. All the files are saved as an ASCII byte array, and the RAT payload is also
reversed to avoid signature-based detection. In this case, the adversary employs the method
discovered by Casey Smith to compile and execute the inline C# code using the native
Windows binary (MSBuild.exe).

Figure 6: Good.xml with inline C# code

When Good.xml is executed, it first creates a file named "Startups32.vbs" in the system
startup folder. The .vbs script contains code to run Good.xml file after each system startup to
maintain persistence. (See Mitre ATT&CK technique – [Persistence.)](https://attack.mitre.org/tactics/TA0003/)

Figure 7: Startups32.vbs


-----

## .NET RAT Loader

After achieving persistence, Good.xml retrieves the .NET Rat loader from the byte array and
loads it into the current application. The .NET RAT loader is contained in the byte array
sBytes in the XML, which is loaded using the method Thread.GetDomain.Load(sBytes). The
method Thread.GetDomain() returns the domain of the current running thread, while Load()
dynamically loads the byte array assembly into the current application domain during
runtime.

The projFUD.dll, available in VirusTotal, is the RAT loader DLL in use. We observed that a
few bytes of the file have been tweaked to avoid hash-based detection. The description and
copyright mentions “VLC MEDIA PLAYER”. However, the file is not signed.

Figure 8: Loader dll tweaked to evade from detection

Although the namespace and class name “ProjFUD.PA” in the loader is same as the one
reported in the snip3 campaign, the PDB string retrieved from the loader DLL is different. It is
likely to have come from a different author.

Figure 9: PDB string retrieved from snip3 loader dll

Figure 10: PDB string retrieved from this campaign’s loader dll

After loading the .NET loader assembly, the function Execute() of the class ProjFUD.PA is
called with the arguments payloadBytes (RAT payload) and RegSvcs.exe (the path of the
victim process).

The .NET assembly ProjFUD.dll acts as a RunPE loader as it hollows and injects the final
payload, AsyncRAT, into the victim process. RegSvcs, a Windows command line utility for
registering .NET Component Object Model (COM) assemblies, is used by an adversary to
hide malicious payload. RegSvcs.exe is digitally signed by Microsoft and can be used to help
bypass a process-based whitelist. (See Mitre ATT&CK technique – Process
[Injection: Process Hollowing.)](https://attack.mitre.org/techniques/T1055/012/)

CreateProcessA is first called to create the victim process RegSvcs.exe in a suspended
state, with flags set to 134217732U (0x08000004) (i.e., CREATE_SUSPENDED and
CREATE_NO_WINDOW are set to True.) This process does not run until the thread is
resumed. While the process is suspended, ZwUnmapViewOfSection is called to unmap
(hollow) the code from the process memory. This routine unmaps the entire view of the
section containing buffer1 from the virtual address space, and on successful return, the
virtual-address region occupied by the view is no longer reserved and available to map other
views.


-----

Next, it allocates space for the payload using VirtualAllocEx, with size set to the payload
length and page protection to PAGE_EXECUTE_READWRITE (0x40). It then injects the
payload into the allocated space using WriteProcessMemory. The thread context is changed
to point to the payload by calling SetThreadContext and the thread is finally resumed via
ResumeThread to execute the payload AsyncRAT.

Figure 11: Malware using RegSvcs

After successfully injecting and executing the AsyncRAT payload, the loader exits.

## AsyncRAT

AsyncRAT then takes command and control of the infected machine via a C2 server. As
mentioned in the introduction, the AsyncRAT is an open-source Remote Access Tool (RAT)
designed to remotely monitor and control other computers through a secure encrypted
connection. It performs a variety of malicious tasks, and if you want to learn more about it,
the GitHub [AsyncRAT-C-Sharp link can help.](https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp)

AsyncRAT uses the following anti-analysis techniques to protect itself from being analyzed.
Because Virtual Machines (VM) and sandboxes are used for the majority of dynamic analysis
within the security community, many payloads, including this one, will try to evade dynamic
analysis. In this case, the RAT retrieves the manufacturer via the WMI query “Select * from
Win32 ComputerSystem” and looks for the strings "VMware" and "VirtualBox”. It also checks
for disk space because sandboxes and virtual machines typically have limited disk space. In
addition, it loads the module SbieDll to detect “sandboxie”, an open-source sandboxing
program for Windows. Lastly, it checks if the process is being debugged by calling
[IsDebuggerPresent(). (See Mitre ATT&CK technique – Virtualization/Sandbox Evasion.)](https://attack.mitre.org/techniques/T1497/)

The payload also includes a security software discovery technique. This technique is used to
determine which security products are present on the compromised machine to shape the
follow-on behaviors. Below is the command-line query used to enumerate the installed
[antivirus products. (See Mitre ATT&CK technique – Defense Evasion.)](https://attack.mitre.org/tactics/TA0005/)
```
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName”

```
Once the information is gathered, it then sends the following information about the infected
machine to the C2 RAT server. (See Mitre ATT&CK technique – Exfiltration Over C2
Channel.)

This RAT hosts resources and additional payloads on Pastebin, an online content hosting
service. In the below code snippet, the RAT client grabs an IP address from the pastebin
website using WebClient.DownloadString() and connects to it. (See Mitre ATT&CK technique
[–Acquire Infrastructure: Web Services.)](https://attack.mitre.org/techniques/T1583/006/)


-----

The AsyncRAT client requests that the RAT server send additional plugins and payloads,
which are then executed in memory, as shown below. It employs a fileless technique to
execute payloads in memory, reducing its footprint and avoiding traditional defenses that
scan the disk for malicious files.

To maintain its foothold, it installs a scheduled task if the payload is running as an
administrator. The reason it checks for admin rights is that a task created with elevated
privileges does not prompt the user to allow execution. If the payload isn’t running as an
administrator, it will add an entry to the Registry Run keys, causing the program to run every
time the user logs in. (See Mitre ATT&CK technique – [Persistence.)](https://attack.mitre.org/tactics/TA0003/)

Keylogging is the most prevalent type of input capture, and it’s used to steal credentials. This
is done by intercepting the user’s keystrokes using Hooking API callbacks. This technique
works by hooking into the Windows native API functions intended for processing keystroke
data, and the callback function is invoked every time the user types something. (See Mitre
ATT&CK technique – [Input Capture: Keylogging.)](https://attack.mitre.org/techniques/T1056/001/)

## C2 Server

After successfully compromising the victim’s machine, the AsyncRAT payload connects to
the RAT C2 server located at “franco.ddns.net” on port 2455 (79.134.225.18:2455). Since
2019, IP 79.134.225.18 has been linked to AsyncRAT / RevengeRAT, NanoCore, and BotNet
attacks. It is associated with the ISP provider “ The PRIVACYFIRST Project”, which runs
multiple VPN services and supports the TOR project.

The C2 domain “franco.ddns.net” used in this campaign is just few weeks old, hence the
associated spike.

Figure 12: Statistics for C2 domain franco.ddns.net

## Conclusion

The campaign analyzed in this blog is likely part of Snip3 Crypter-as-a-service, as some of
the artifacts (i.e., Sender IP, C2 IP address, and the final payload) are the same. But this one
doesn’t use PowerShell script. Instead, it employs a new technique to compile and execute
inline C# code contained in an XML. This is yet another example of threat actors quickly
adopting and evolving techniques to create more sophisticated and difficult-to-detect attacks.
In addition to the Fortinet protections below, I would encourage you to review the Mitre attack
techniques and measure how effective your current security controls are. Learn more
[about Mitre Att&CK and how to test your defenses.](https://www.fortinet.com/blog/industry-trends/smarter-security-starts-with-understanding-how-cybercriminals-wo)

## Fortinet Protections


-----

Fortinet customers are already protected from this RAT variant with FortiGuard s Web
Filtering and AntiVirus services, as follow:

The C2 IP address is rated as "Malicious" by the FortiGuard Web Filtering service.

[The VB script is detected as “VBS/Agent.OQP!tr” and the xml file is detected as](https://172.16.77.46/st3/search/?&search_type=def&view_type=text&query=VBS/Agent.OQP%21tr&vndr_srch=0&match_type=1)
[“VBS/Agent.AK!tr”. The RAT loader and the final payload AsyncRAT are detected as](https://172.16.77.46/st3/search/?&search_type=def&view_type=text&query=VBS/Agent.AK%21tr&vndr_srch=0&match_type=1)
“W32/PossibleThreat”.

[The FortiGuard AntiVirus service is supported by FortiGate,](https://www.fortinet.com/products/next-generation-firewall.html?utm_source=blog&utm_campaign=fortigate-main-page) [FortiMail,](https://www.fortinet.com/products/email-security/fortimail.html?utm_source=blog&utm_campaign=fortimail-main-page) [FortiClient,](https://www.fortinet.com/products/endpoint-security/forticlient.html?utm_source=blog&utm_campaign=endpoint-web-page)
[and FortiEDR. The Fortinet AntiVirus engine is a part of each of those solutions as well. As a](https://www.fortinet.com/products/endpoint-security/fortiedr.html?utm_source=blog&utm_campaign=fortiedr)
result, customers who have these products with up-to-date protections are protected.

[FortiEDR’s real time protection detects process hollowing during execution and blocks the](https://www.fortinet.com/products/endpoint-security/fortiedr.html?utm_source=blog&utm_campaign=fortiedr)
RAT from connecting to the C2 server.

Fortinet’s Phishing Simulation Service, FortiPhish, can also be used to proactively test the
susceptibility of your organization to these kinds of phishing attacks.

## MITRE ATT&CK

T1566.002: Phishing: Spearphishing Link

T1059.005: Command and Scripting Interpreter: Visual Basic

T1027: Obfuscated Files

T1127.001: Trusted Developer Utilities Proxy Execution: MSBuild

T1218.009: Signed Binary Proxy Execution: Regsvcs

T1055.012: Process Injection: Process Hollowing

T1547.001: Registry Run Keys / Startup Folder

T1056.001: Input Capture: Keylogging

T1053.002: Scheduled Task

T1041: Exfiltration Over C2 Channel

T1518.001: Security Software Discovery

T1497: Virtualization/Sandbox Evasion

## IOCs

**Email**

34646a93538a34c871e04a368c97637d1b7d1d4507bf210afd9349a61b25b35e
ef4b52c8f2c844b76534f583171d03a87cc195b0c3ae32754df0c01177792432
04e93767d16a3e6ca68e45fea23434a9c9ed363c3f0d28b9653f74bbf405ef65

**VBS**


-----

adf94da54bc49abc6fdb2a36523eb726f26dacd5598a0fdc64e61b8d500edad8
34914c4af84888552bd7ef74d9a691918013766719881a042723001ef96f554c
c16e5de09a78886dc972d26aeb0e9fe760b855eb157c7df308fad2116b860ef7
65d3ff89602db4294fa2f585c472e566a3d72d2065e6bc4f493b02a3b08393ba
4c6f832a85fbcf17308ab923b066577de859571a2743e99bf249398e19a00fb8
0b56c16a28482cc0af81b93aff36d02610e30a8d65d7ea1ccd73f8242effbada
9dd8a6725b9c881311501b79770e4f1c9aee2c3b42f59f7694d48b67939eede5
59aafb3dd9c6cdb95ff662299e1faf3efb01d5ef8479dbbb8032b4b9cb3c3d91
a54f4ee320b21c1cfde3358a25131476127b9fb1fd5cad9fd03fa2be1f4fd0e2
9297b0db717beea397aacf15e7ef081faf3b9e430002a1c1b4e150e56fb940f9

**Good.xml**

E7D60A25BF1D80C144919F5F112594793A12A8176F2000BD890E331234A26814
8938838db8d16708692e80d170e0d8dc1522531e5a5ab5ae878a27a147780f44
b45470aa79cc7acab448a65252c3c7ee840ce6d0e78c40ad2c6bc261a912d393
f9bc8699f18b93cdb4b076dbf6f4baf2befd8c72eb26cefc28086f02a607f2f6

**.NET Loader**

B0DC46B5FC849DA9CC7A3FC4D8AA5EA8745D7E50869AC689BB956AAB3079EEB9
814f21f8c2befba504e592e3396be7454f93013939325cc7fbad5c38f022b395

**AsyncRAT**

5344E8B1EF4939A3C9F84921B284DD6E0B98B2CF524D678116BEF6E58DC4A6C3

**PDB**

E:\Hard Drives\Local Disk (C)\WIN 10 [ October Update ] FILES\Sparta Project
#Hope\projFUD\projFUD\obj\Debug\projFUD.pdb

**Malicious IPs**

79.134.225.18 (C2)
192.145.239.18

_Learn more about Fortinet’s_ _[FortiGuard Labs threat research and intelligence organization](https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_campaign=fortiguard-labs)_
_[and the FortiGuard Security Subscriptions and Services portfolio.](https://www.fortinet.com/fortiguard/labs?tab=security-bundles&utm_source=blog&utm_campaign=security-bundles)_

_Learn more about Fortinet’s_ _[free cybersecurity training, an initiative of Fortinet’s Training](https://www.fortinet.com/training/cybersecurity-professionals?utm_source=blog&utm_medium=campaign&utm_campaign=Freetraininginitiative)_
_Advancement Agenda (TAA), or about the_ _Fortinet Network Security Expert_
_[program, Security Academy program, and](https://training.fortinet.com/local/staticpage/view.php?page=fnsa&utm_source=pr&utm_campaign=fnsa)_ _[Veterans program. Learn more about FortiGuard](https://www.fortinet.com/corporate/careers/vets.html?utm_source=blog&utm_campaign=fortivet)_
_Labs global threat intelligence and research and the FortiGuard Security Subscriptions and_
_Services portfolio._


-----

### Related Posts

Copyright © 2022 Fortinet, Inc. All Rights Reserved

[Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html)
| Cookie Settings


-----