Nigerian Hacker Connected to Aviation Industry AttacksResearchers: Attacker Sold Pilfered Airline Data on the Darknet
Cisco Talos researchers have been able to connect a previously discovered series of aviation industry attacks stretching back more than three years to a Nigeria-based attacker.
"We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware," the researchers say.
In the campaign, dubbed Operation Layover, the attacker used phishing emails with a malicious attachment to gain initial entry, Cisco Talos researchers Tiago Pereira and Vitor Ventura note in a report. The emails purported to come from legitimate businesses in the aviation industry and had subject lines such as "Trip Itinerary Details" and "Bombardier."
The researchers say the actor is a low-tech operator and buys the crypters instead of developing them.
The goal of the attacker is to spy on its targets as well as obtain and sell web cookies, tokens and valid credentials that technically capable attackers use for big game hunting, Cisco Talos says.
The report did not say how many or which airlines the attacker has hit.
The researchers also believe this actor has been actively using similar methods for at least five years, but only focused on the aviation industry starting around 2018. The researchers say, however, that the actor may have been actively conducting other attacks since 2013.
Cisco Talos researchers were tipped off to the campaign when Microsoft tweeted in May that it had found attacks using AsyncRAT, which is designed to remotely monitor and control other computers through a secure encrypted connection, according to a GitHub entry (See: Spear-Phishing Campaign Targets Aviation Sector).
The Attacker's Profile
Pereira and Ventura describe the attacker having limited technical know-how, but the ability to use commercially available malware to its advantage.
"These kinds of small operations tend to fly under the radar and even after exposure, the actors behind them won't stop their activity," the researchers say. "They abandon the [command-and-control] hostnames - which in this case are free DNS-based and they may change the crypter and initial vector, but they won't stop their activity."
Since the black market demand for web cookies, tokens and valid credentials is very strong compared with the economy in the attacker's home countries, it is unlikely such attacks will stop, the researchers say.
In a Proofpoint report in June, that firm's security analysts noted material gathered by initial access brokers, such as the Nigerian attacker named by Cisco Talos, is in high demand with hundreds of campaigns being conducted to gather information that will then be used by other threat actors for malware and ransomware attacks. (See: 10 Initial Access Broker Trends: Cybercrime Service Evolves).
"Proofpoint identified almost 300 downloader campaigns distributing almost six million malicious messages," Proofpoint says, "Depending on the compromised organization and its profit margins, access can be sold anywhere from a few hundred to thousands of dollars."
Pereira and Ventura say there are strong indications that this particular actor has been active for the last eight years, initially using the CyberGate malware and then continuing to utilize other off-the-shelf malware types.
The researchers were able to link the earlier campaigns to a profile used on darknet hacking forms called Nassief2018.
"During interactions on this forum, the user also revealed other information about himself. Namely, an email address - kimjoy44@yahoo[.]com - and a Telegram account - @pablohop. Both accounts were linked to the aviation-themed campaigns," the researchers say.
Cisco Talos was able to zero in on Nassief2018's location using passive DNS telemetry, enabling them to compile a list of IPs used by the Nassief2018's domain akconsult.linkpc.net.
"Roughly 73% of the IPs were based in Nigeria, further strengthening the theory that the actor in question is based in Nigeria," the researchers say.
Breaking Down an Attack
The phishing email attachment is usually a PDF file that is a link to a .vbs file hosted on Google Drive, the researchers say. These VBS files are a crypter that wraps the AsyncRAT, and the attacker uses the command-and-control server to encrypt and drop the AsyncRAT payload, they note. The researchers found dozens of examples of domains actively communicating with a command and control server.
"[A] search shows AsyncRAT clients communicating with the same server that was used on these campaigns. This expanded our sample scope to more than 50 samples. The analysis of these samples uncovered the existence of eight more domains linked to this campaign listed below," the researchers say.
Most of these domains were first seen in May or June 2021, the researchers say.
The oldest domains on the list seemed to be active only for a couple of days, without many samples using them, which is part of the attacker's attempt to hide their actions, the researchers say.