Threatening malware attack

AsyncRAT Mysterious Malware’s 11-Month Attack on Critical US Infrastructure

AsyncRAT has been utilised by a threat group over the last 11 months to target employees across different companies through phishing emails. These emails aim to spread an open-source malicious malware. Notably, the companies affected include those in charge of managing essential infrastructure in the US.

AsyncRAT, the open-source remote access tool, released in 2019 and remains accessible on GitHub. It has identical possibility of exploitation as any other remote access tool in the form of a Remote Access Trojan (RAT).

As a result, it remains among the most often used RATs. It becomes more valuable with different types of cyberattacks since it has features like payload dumping, keystroke recording, remote command execution, and data modification.

Cybercriminals have often taken use of this tool, both in its original form and after making different changes. Its main objectives include gaining a foothold on targets, stealing files and data, and spreading other malware.

Since its first release, this Remote Access Trojan (RAT) has been found in a number of campaigns, frequently undergoing alterations due to its open-source availability. Interestingly, Earth Berberoka, an APT organisation, has been using it.

Last summer, Microsoft security researcher Igal Lytzki detected threats distributed through compromised emails. However, getting the ultimate payload proved difficult. The Alien Labs team at AT&T saw a rise in targeted phishing emails in September that targeted employees of specific companies.

According to AT&T Alien Labs:

The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the U.S.

The malicious email that starts the attack has a GIF attachment, which links to an SVG file. Obfuscated PowerShell and JavaScript scripts can be downloaded with this SVG file. The loader connects with the command-and-control server after bypassing anti-sandboxing checks. The victim’s eligibility for the AsyncRAT infection is next evaluated.

AsyncRAT deployment using the Stage 3 script
AsyncRAT deployment using the Stage 3 script (AT&T)

The link between temp[.]sh and the observed behaviour has been same throughout time and across assortments. This domain only stores files for three days and generates a new randomised URL route for each next file upload.

The loader versions use different constants, variable names, and URL representations for every end point. The Command and Control (C&C) sends a base64-encoded script that has been XORed against a predetermined key after receiving the GET request. PowerShell executes this script without a hitch once it has been unzipped with Gunzip.

Malware Execution Chain
Malware Execution Chain (AT&T)

VM False’s 1b C&C value shows how exact these values are. On the other hand, wrong replies, such as 2c (VMWare), show greater numbers. Perhaps the C&C uses a predefined range or an organised collection of valid replies to avoid brute force attacks.

The loader uses PowerShell commands to run verifications in its anti-sandboxing system. The instructions extract particular characteristics about the system and generate a score that shows whether or not a virtual machine is running.

The system successfully avoids popular sandboxes by using an anti-sandboxing approach. In case of an invalid answer, visitors get redirected to Google or provided with a different script. This script then connects to the payload in ‘temp[.]sh,’ using the $url variable.

The code undergoes dynamic changes and employs heavy obfuscation techniques to evade detection. But the network architecture doesn’t change. The samples use a variety of domains that are updated on a regular basis to improve avoiding detection.

The threat actor used 300 different loader samples over the course of the previous 11 months, according to AT&T Alien Labs. Each iteration created little modifications to code structure, obfuscation techniques, and variable names and values.

Alien Labs Campaign Tracking Samples
Alien Labs Campaign Tracking Samples Observed (AT&T)

The domains included in the report from AT&T Alien Labs follow a clear pattern. In the “top” TLD category, Nicenic.net registered these names with South Africa as the country code and hosted them on DigitalOcean. These names have eight random alphanumeric characters.

AT&T decrypted the domain generating algorithm and estimated the malware domains for January 2024. The researchers did not pinpoint a single opponent, but rather highlighted the threat actors’ decision through sample obfuscation.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts