Threat Research

Threat Actors Prey on Eager Travelers | FortiGuard Labs

Securonix

Travel-themed lures are being used to push malware onto Windows users, delivering AsyncRAT, Netwire RAT, and Quasar RAT through disguised travel documents like itineraries and ISO files. FortiGuard Labs highlights manual execution of these payloads, domain-based C2s, and obfuscation techniques, with protections and training suggested for defense. #AsyncRAT #NetwireRAT #QuasarRAT #ColombianMilitary #FortiGuardLabs #ngrok #DDNS

Keypoints

  • Travel-themed lures (itinerary-related files, ISO images, and travel names) are used to deliver multiple RATs to Windows users.
  • AsyncRAT is distributed via itinerary.zip and related files, with C2 servers znets.ddns.net and dnets.ddns.net and multiple .NET obfuscators to hinder analysis.
  • Disguised executables (e.g., Itinerary.pdf………………………………………exe) are used to trick victims into running the payload.
  • ISO-based delivery is used to bypass some security checks and requires manual execution to trigger infection.
  • Netwire RAT delivery uses travel-themed JavaScript dropped from a Discord CDN, leading to Update.exe that connects to kingshakes1.linkpc.net.
  • Quasar RAT is deployed via a travel-themed ISO targeting a Colombian military entity, with C2 at opensea-user-reward.serveusers.com.

MITRE Techniques

  • [T1566.001] Phishing – “Spear Phishing Campaign with New Techniques Aimed at Aviation Companies” and “travel-related email or website was used to lure the victims to the file’s location.”
  • [T1036] Masquerading – “Itinerary.pdf_____________________________________________.exe, which is really an .exe file disguised as a PDF.”
  • [T1204.002] User Execution – “the victim needs to manually run the exe file in the mounted ISO to get infected with AsyncRAT.”
  • [T1071.001] Web Protocols – “connects to its C2 servers located at ‘znets[.]ddns[.]net’ and ‘dnets[.]ddns[.]net’.”
  • [T1027] Obfuscated/Compressed Files or Information – “uses multiple .NET obfuscators such as Xenocode, Babel, Yano, DotNetPatcher, CryptoObfuscator, Dotfuscator, SmartAssembly, Goliath, NineRays, and 198 Protector V2.”

Indicators of Compromise

  • [File Hash] AsyncRAT related files – 7e40ffe649eebe5a8f156f2051d670ccb1c2580b387190b60a928149c0db071e (travel_details.iso), a1a82789bcd4b8f4400e2d3dcd723722c4528cb3a188ffb54d7e684fdb808792 (Travel_details.exe), and 6 more hashes
  • [File Name] Travel_details.iso, Itinerary.iso (ISO images used in infection)
  • [Domain] znets.ddns.net, dnets.ddns.net
  • [Domain] kingshakes1.linkpc.net
  • [Domain] opensea-user-reward.serveusers.com
  • [URL] dc5b-163-123-142-137.ngrok.io/itinerary.zip, dc5b-163-123-142-137.ngrok.io/travel_details.iso

Read more: https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint