Unsophisticated Nigerian Threat Actor Threatening to Ground the Airline Industry Through Commodity Malware

Airline-Credential-Theft

For the past five years, a suspected unsophisticated threat actor has been wreaking havoc on the airline and other industries using commodity malware Remote Access Trojans (RATs) as well as other off-the-shelf malware tools. Security researchers from Cisco Talos have used this opportunity to pivot from discovering an initial discovery of a RAT to extensively profile a threat actor.

 

LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.

 

Their findings shine a light on how and why even unsophisticated attackers can cause significant damage and reap significant rewards in the current cybercriminal landscape.

According to Tiago Pereira and Vitor Ventura at Cisco Talos,

“We believe the actor is based out of Nigeria with a high degree of confidence and doesn’t seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.”

Commodity malware is a term for malware that’s widely available as an off-the-shelf product to be used by other threat actors, usually for free. A crypter is a type of software that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security programs.

In short, this threat actor has been utilizing a complete stack of off-the-shelf malware tools to launch a persistent and potentially industry-crippling spree of attacks. This is only one example of the fallacy in believing that only the most technically sophisticated attacks that can lead to serious ramifications.

The researchers believe that the same actor started out with only commodity malware in the form of AsyncRAT and njRAT but adapted to using crypters to wrap their malware in the last two years.

The attacker used RATs in an attempt to steal cookies and login credentials in order to gain remote access and control to an organization’s systems.

In fact, by launching a large number of small-scale attacks, a specific actor can remain under the radar for years. Instead of cashing out with a single, big bounty, they keep leeching a range of businesses and industries for an extended period.

As a side business, they also keep feeding the underground market of compromised credentials and cookies. This information can, in turn, be used by more ambitious and technically sophisticated threat actors in larger campaigns or “big game hunting.”

This is referred to as being an Initial Access Broker (IAB). IABs operate by finding vulnerable organizations and sell access to them to the highest bidder on dark web forums. This “occupation” has boomed in recent years and stands as an example of the professionalization of the cybercrime industry.

It has become a lucrative revenue stream for threat actors who don’t have the same resources or technical capabilities as more established threat actors, often from less well-off regions or countries.

As the researchers from Cisco Talos put it, “The black market for web cookies, tokens and valid credentials is way too valuable when compared with the economy in their home countries for them to stop.”

The researchers published all their findings in an extensive report on the Talos Intelligence blog. Here, you can find common hashes, domains, configuration IDs, and Mutex’s used by the threat actor.

While the impact of the threat actor in question has been minimal to date, these types of compromises can lead to much more significant incidents down the line, including data theft, financial fraud, or follow-on attacks.

 

 

Sources:

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise