Microsoft warned that there is an ongoing and dynamic campaign targeting the aviation and travel sectors, through spear-phishing emails, distributing actively developed loaders, and then providing remote access to Trojan horses.
This activity uses emails that deceive legitimate organizations (such as the Airbus Family Global Seminar in this example) to lure people related to aviation, travel or freight to open attachments. The image that pretends to be a PDF file contains an embedded link (usually abusing a legitimate network service) that downloads a malicious VBScript that delivers the payload of a remote access Trojan.
Then, the Trojan will download additional modules, inject code into processes such as RegAsm, InstallUtil, or RevSvcs, and then steal credentials, screenshots, and webcam data, browser, and clipboard data, system and network information, and upload the data to the attacker server.
Microsoft is urging people in affected industries to verify whether they have been attacked and has published advanced hunting queries that can be used to locate related or similar activities, emails, implants, and other indicators of attacks in the environment.