Thursday, September 16, 2021

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise

By Tiago Pereira and Vitor Ventura.

  • Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.
  • The same actor has been running successful malware campaigns for more than five years.
  • Although always using commodity malware, the acquisition of crypters to wrap the malware makes them more effective.
  • This shows that a small operation can run for years under the radar, while still causing serious problems for its targets.


Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.

In this post, we will show how our research uncovered information about the attackers spreading AsyncRAT and njRAT using specific lure documents centered around the aviation industry. If infected with these threats, organizations could fall victim to data theft, financial fraud or future cyber attacks with much worse consequences.

In the end, our research shows that actors that perform smaller attacks can keep doing them for a long period of time under the radar. However, their activities can lead to major incidents at large organizations. These are the actors that feed the underground market of credentials and cookies, which can then be used by larger groups on activities like "big game hunting."

The aviation campaign

We started our research into these campaigns after a tweet from Microsoft describing new attacks they discovered using AsyncRAT. Our researchers looked at the domain Microsoft Security Intelligence mentioned, kimjoy[.]ddns[.]net. The image below shows the several links we uncovered between the campaigns, domains, IPs and actors somehow associated with each other.
This shows us that the actor behind these campaigns has been operating malware for more than five years and specifically targeting the aviation industry for at least two years. For this campaign, the actor used emails similar to the one below as the initial attack vector.
These emails would appear to contain an attached PDF file that was a link to a .vbs file hosted on Google Drive.
Our research shows that this actor has been targeting the aviation industry since at least 2018, with files mentioning both "Trip Itinerary Details" and "Bombardier" at the time using the URL akconsult[.]linkpc[.]net.


We first reached this domain by searching for the string "Charter details.vbs," which is the name of one of the samples linked to the kimjoy[.]ddns[.]net domain.

The domain is the oldest domain, first seen on July 2, 2015. Analysis of the activity associated with the domain reveals that this actor has used several RATs and that, since August 2018, there are samples communicating with this domain with names that indicate the adversary wanted to target the aviation industry.

The following table shows a timeline of samples with aviation-related names that communicate with akconsult[.]linkpc[.]net. It is worth noting that these are not the only files related to this domain — they are just the ones relevant to our investigation.
This actor has been active for so long we wanted to know what else we could find about them. So we started a search using the "akconsult" keyword. This search revealed a malware sample and a user handle mentioned on the site hackingforum[.]net. A search on this forum turned up several indicators of the actor's goals, which we will detail in the following sections.

The sample identified was first seen on Feb. 7, 2013 and was packed with a .NET packer that performs a triple reflection of the RunPE stub, before hollowing a copy of itself to inject the CyberGate malware.
One of the Cybergate RAT's configuration parameters is the NewIdentification, as can be seen on the registry key on the image above. We found a sample that uses Akconsult as an identification key. This parameter is defined by the malware builder so that it can distinguish between several operators. In this case, the operator used the handle "Akconsult," giving us a good link to our actor. At this point, we know our actor uses akconsult as a username, so it wouldn't be unusual for them to use it in a sample.

The command and control (C2) domain used by this sample is "," which is mentioned in the court case "Microsoft Corporation v. Mutairi et al." In this case, Microsoft made a complaint against the creators of njWorm and the H-worm and VitalWerks, along with the owner of the domain A deeper look into the case indicates that there was no relation between AKconsult and the worm creators. At first glance, it seems that the domain was seized along with others based solely on the fact that it was distributing malware and belonged to VitalWerks. Eventually, we would come to find that there is another link between our actor and these worms, which further strengthens the association between the threat actor and this case.

This seizure predates the first record we have for the akconsult[.]linkpc[.]net domain, and may have been the reason behind the creation of akconsult at linkpc[.].net

Using this hostname as a C2, we identified four other samples all using the same malware but with different identifiers between September 2012 and May 2014.

During the recent campaigns, this domain was being used as a C2 for AsyncRAT, which the attackers dropped via a VBS file hosted on Google Drive. This server was using TLS to encrypt the C2 communications, so we decided to search for other servers using the same certificate thumbprint.

This search shows AsyncRAT clients communicating with the same server that was used on these campaigns. This expanded our sample scope to more than 50 samples. The analysis of these samples uncovered the existence of eight more domains linked to this campaign listed below.
Most of the domains were first seen either in May or June 2021. The oldest of the list seemed to be active only for a couple of days, without many samples using it. However, the URL e29rava[.]ddns[.]net was always active with several samples using it as C2.


We analyzed several of these domains between early June and late July. Eventually, we found that the domain e29rava[.]ddns[.]net is linked to at least 14 visual basic scripting (VBS) files with names that are clearly linked to the aviation industry, as can be seen below.
This domain was almost exclusively used in this campaign, some of the file names are used pointing to other domains on the previous list around the same day.

These VBS files are a crypter that is wrapping the AsyncRAT, as previously mentioned.

Other domains

Following the same breadcrumbs, we found other domains strongly linked to the same threat actor that were not related with the aviation-themed campaigns.

Hostname bodmas[.]linkpc[.]net

We discovered this domain because "bodmas" is one of the usernames the threat actors use for the Aspire crypter. A quick search for samples associated with it showed samples that were active in the last quarter of 2018. As the picture below shows, in December 2018, Nassief had already purchased the crypter.
One of the samples we found establishes yet another link to the hostname kimjoy[.]ddns[.]net, which was one of the original domains reportedly linked to the aviation campaigns. One sample contains the path for the PDB file shown below.
This path shows that it is using the Aspire crypter but also shows the "kimjoy" handle in a sample that contacts the bodmas[.]linkpc[.]net domain, establishing another link between the two. This seems to be some internal handle used by Aspire at build time.

The crypter was used to wrap CyberGate malware, the same we saw on the previous domain.

Hostname groups[.]us[.]to

Sometimes during our investigations we are confronted with weak links, links that although technically they make sense, due to the lack of additional supporting links or because they don't fully fit the context, making us define them as low-confidence links — this is one of those examples.

While the aviation campaign was active, there was one domain that, although it didn't seem related at first, there was an overlap between IP addresses, as shown below.
At this point, we decided that it would be worth taking a deeper look at this hostname, one the actor doesn't use very often.

The oldest malware sample referring to this hostname was first seen on Sept. 24, 2016 and was a simple batch file that is part of a malware chain that drops multiple files. The batch file will download and execute another malware, obfuscated with a Delphi packer.

Talos found what seemed like tests to determine the detection ratio of the malware using this domain as a C2. The table below shows the submissions done with the same IP address from the Dominican Republic, a single time, indicating that tests were being performed.
We decided to take a deeper look at these samples since they were being tested for detection.

Convoluted njRAT

When we started the analysis on the Microsoft Publisher files and, given the previous TTPs from this actor, we were not expecting the number of layers in the infection chain.
The Publisher files all had the same origins. We found the initial macros for testing and then another version that, for the untrained eye, would seem like a perfectly normal macro.
In both cases, the macro extracts data from the Microsoft Form object embedded in the malicious document.
This macro downloads an HTML document from the C2 and uses the mshta, as can be seen on the image above on the right. The second stage is an HTML page that contains a VBScript that the mshta executes. This code contains a PowerShell script which, after deobfuscation, looks like the image below.
This script will ping as an internet connection test and, afterward, it will proceed to download the third stage from the GitHub page hxxps://satlahlk[.]github[.]io/msc/cl.png, this other stage is PowerShell, encoded byte per byte.

This PowerShell contains three different .NET-compressed assemblies that are also char-encoded. The first assembly patches the AMSI to prevent malware detection. This is a variation code published on GitHub, as can be seen by the bytes contained on the byte array.
The second assembly is an injector that will run the executable passed on the first parameter and inject the code passed on the second parameter into it.
The injected malware is a variant of njRAT. This does not imply that the actor is sophisticated — it simply shows that the actor uses different RATs.


A malicious document first seen on Dec. 13, 2019 was found downloading and executing a payload hosted on the same domain.
This sample was packed with a simple chr operation that contacts the domain groups[.]us.[.]to. Once unpacked, it was clear that it was H-Worm developed by an actor that uses the handle "houdini".
These are the same two kinds of malicious applications that are listed in the aforementioned Microsoft indictment.

The designer

A deeper look into the njRAT sample took us down another line of investigation. As we mentioned above, this sample has a very convoluted packaging, but one of the steps is to download the final stage from https://satlahlk[.]github[.]io/msc/cl.png. This GitHub account indicates that the owner is in Brazil, but the njRAT function names are in Spanish.

We found it unusual that the PowerShell crypter contains references to the Portuguese soccer player Cristiano Ronaldo. "Chris" is the Brazilian and Spanish diminutive to Cristiano.
A search for the GitHub account was a dead end, just like the mutex created by the rat name "TikTok". However, the njRAT variant seems to have unique details to pivot off.

In the C2 communication, the RAT uses "@!#&^%$" as a field delimiter, as we can see on the page below that string is defined as a byte array, which is converted into characters when it is used.
On the right side of the image, we can see the hex definition of the byte array creation instead of the decompiled code. Since this is a very specific string, we decided to use it as a pivot point. A search by the bytes "0A800600000420391B0000800800000420011400008D" revealed three other samples, all contacting the same domain.

These samples have an additional pivoting point: They create a mutex called "UbboSatlahlk," which contains part of the previously mentioned GitHub account. This mutex seems unique enough to warrant additional investigation. It supplies seven samples, which contain the same domain — and based on the mutex, the names are clearly linked to our original sample.

A search for that mutex on the internet revealed that it is also a username on a cybersecurity Spanish-speaking forum. The Spanish language is also consistent with two other indicators — first, the RAT functions are all written in Spanish, and the majority of IPs used by the domain are located in the Dominican Republic, a country where the official language is Spanish.
In this message, the user says they are writing a crypter, but are having some troubles. This is a rather old message from 2016 just like the first appearance of the domain.

Furthermore, a Skype account with the name "UbboSatlahlk" reports its location as being in Santo Domingo in the Dominican Republic, which strengthens the idea that it might be associated with our designer.

Clustering paradox

This overlap indicates that the[.]to dynamic domain may also be related to the same actor. However, this could be a false link if the IP address belonged to a shared host. On the other hand, if the IP address belonged to a shared host, then there should be a large number of domains resolving to this IP. In this case, there are only 13, and three of them we can rule out because they are outside the time frame of the events in question. The remaining 10 are either dynamic DNS or VPN services that offer static IP. The VPN records resolution mostly originated from Nigeria, which is also consistent with our research.

On the other side, the remaining TTPs differ from the aviation campaign. The aviation campaign was mainly distributed through emails containing links to the malware executable hosted on Google Drive, the payloads are obfuscated using crypters, but there are no downloadable stages. As we have shown, the malware campaigns associated with this domain are not consistent with the TTPs of the actor behind the aviation campaigns. However, we also know that this actor is not particularly technically savvy, and tend to buy the tools that they use.

The most likely explanation is that this domain has been used to test new tools from a new developer. Because there are links to this actor and they are definitively linked to malicious activities, we decided to add the domains reserverem[.]duckdns[.]org and monthending[.]duckdns[.]org to the list of IOCs, even though we didn't perform in-depth research around them.

Actor profiling

Avatars and Pseudonyms

Looking at the campaign details we discussed up to this point, we have strong indications that this actor has been active at least since 2013. The malicious actor initially used the CyberGate malware, then moved to another off-the-shelf malware. During our research, we linked the early campaigns related to akconsult to a handle — "Nassief2018" — on another popular hacking forum. The same account also mentions that it uses the usernames "bodmas" and "kimjoy" on other RAT platforms.
During interactions on this forum, the user also revealed other information about himself. Namely, an email address — kimjoy44@yahoo[.]com — and a Telegram account — @pablohop. Both accounts were linked to the aviation-themed campaigns in this post.
On Skype, the actor's email is associated with the username "abudulakeem123."

Geographic location

While researching the actor's activities, using passive DNS telemetry, we compiled the list of IPs used by the domain The chart below shows that roughly 73 percent of the IPs were based in Nigeria, further strengthening the theory that the actor in question is based in Nigeria.
The same happens, with an even higher percentage with the bodmas[.]linkpc[.]net hostname, but this is a more recent hostname that has pointed to fewer IP addresses.

Other sources

Often while performing this kind of research, it's worth performing a simple web search using the keywords obtained from other sources. While doing this, we found the tweet below made by .sS.! which, on top of containing some of the information we found, also contains additional information about the actor.
Some of this information matches what we found on our own research, others are completely new and we have not been able to confirm this Twitter user's claims.


Many actors can have limited technical knowledge but still be able to operate RATs or information-stealers, posing a significant risk to large corporations given the right conditions. In this case, we have shown that what seemed like a simple campaign is, in fact, a continuous operation that has been active for three years, targeting an entire industry with off-the-shelf malware disguised with different crypters.

These kinds of small operations tend to fly under the radar and even after exposure the actors behind them wont stop their activity. They abandon the C2 hostnames — which in this case are free DNS-based and they may change the crypter and initial vector, but they won't stop their activity. The black market for web cookies, tokens and valid credentials is way too valuable when compared with the economy in their home countries for them to stop.

We also hope this illustrates how to pivot malware research based on OSINT alone. However, it is important to be careful with weak links that could lead to erroneous conclusions. The weak links shouldn't be discarded — they should be seen as one more piece of information that, together with other links, may result in a much stronger relationship between two pieces of information.


Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on The following SIDs have been released to detect this threat: 58083-58088.

Orbital Queries

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries, click here






Sample configuration ID

AsyncClientKuso - "mTo6k2HFbwkEky1jZAhGsmddHWMMlgEk"
AsyncClientTemi - "dylt8lOYBtTllyeY3t5iyiRZLgqMai4t"
AsyncClientRasheed - "wV1ipYmVNbj8zuNLhiiXQN4PaZKje8qO"
AsyncClientExchange - "MsUZVALhJV3jcNVAxmaIl2DG7i544TZg"
Asywhy - "jbg9dRIOq1AGzwl8xmtPqGvO9dgNJ3ut"
AsyncClient95Adex - "AF2X087ySehzF7S3yr0bYQu5YoPK7JMk"
AsyncClientHOC - "39i4ufe0jIrlFwuCZQIngiDwHnmvIXP3"
AsyncClient8970 - "QMatjvtVkF3KwliMTk4UiKdIFFuO27pl"

Sample hashes


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.