Microsoft has issued an alert over a remote access tool (RAT) dubbed RevengeRAT that it says has been used to target aerospace and travel sectors with spear-phishing emails.
RevengeRAT, also known as AsyncRAT, is being distributed via carefully crafted email messages that prompt employees to open a file masquerading as an Adobe PDF file attachment that in fact downloads a malicious visual basic (VB) file.
According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla.
“The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads,” Microsoft said.