Researchers have unveiled a serious malware campaign, dubbed “Operation Layover” that was found targeting the aviation industry for years. While the threat actor uses off-the-shelf malware, the addition of crypters makes the campaign difficult to detect.
Operation Layover Targeting Aviation Industry
In a recent report, researchers from Cisco Talos have shared insights about a sneaky malicious campaign targeting the airline sector.
Identified as “Operation Layover”, this malware campaign doesn’t employ any custom-made malware for the aviation industry. Rather the threat actor uses “other’s malware” but enhances the stealthiness by wrapping them in crypters. Again, the threat actor buys these crypters for this purpose.
This reliance on external resources makes the threat actor look unsophisticated. Nonetheless, still, the attacker managed to run such malicious campaigns for at least five years. Whereas, these campaigns have typically aimed at the aviation industry for the past two years. Though, the threat actor kept running other malicious campaigns as well.
Briefly, the researchers found the attacker spreading AsyncRAT and njRAT via spearphishing campaigns. The phishing emails mimic documents aimed at the aviation industry, thereby striving to hack the target organizations. If successful, such attacks can cause huge damages to the victim airlines.
Regarding the threat actor, the researchers believe him to have a Nigerian origin.
Nonetheless, nothing much can be confirmed about the threat actor since the attacker managed to remain under the radar due to small-scale attacks.
According to the researchers, these campaigns demonstrate how even devastating serious attacks can escape detection for years. As stated in their post,
These kinds of small operations tend to fly under the radar and even after exposure the actors behind them won’t stop their activity. They abandon the C2 hostnames — which in this case are free DNS-based and they may change the crypter and initial vector, but they won’t stop their activity. The black market for web cookies, tokens, and valid credentials is way too valuable when compared with the economy in their home countries for them to stop.
Let us know your thoughts in the comments.