Michael Dereviashkin, security researcher at enterprise breach prevention firm Morphisec reported that ,” Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers via a secure, encrypted connection.

As part of a malware campaign that is believed to have begun in September 2021, a new, advanced phishing attack has been observed delivering the AsyncRAT trojan.

The cyberattacks begin with an email message that contains an HTML attachment disguised as an order confirmation receipt (for example, Receipt-digits>.html). When the decoy file is opened, the message recipient is redirected to a web page that prompts the user to save an ISO file.

However, unlike other attacks that direct the victim to a phishing domain specifically designed to download the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process.

The dropper creates three files: 

  • Net.vbs – obfuscated invocation of Net.bat
  • Net.bat – invocation of Net.ps1
  • Net.ps1 – next stage injection

Dereviashkin explained that, “The ISO download is generated from within the user’s browser by JavaScript code embedded inside the HTML receipt file, not from a remote server.”

When the victim opens the ISO file, it is automatically mounted as a DVD Drive on the Windows host and contains either a.BAT or a.VBS file, which continues the infection chain by executing a PowerShell command to retrieve a next-stage component.

This causes an in-memory execution of a.NET module, which then acts as a dropper for three files — one of which acts as a trigger for the next — to finally deliver AsyncRAT as the final payload, while also checking for antivirus software and configuring Windows Defender exclusions.

Finally the researchers concluded that ,” RATs, such as AsyncRAT, are commonly used to establish a remote connection between a threat actor and a victim device, steal data and conduct surveillance through microphones and cameras. They provide a plethora of advanced capabilities that allow attackers to fully monitor and control the compromised machines. Morphisec also highlighted the campaign’s advanced tactics, which it claimed allowed the malware to go virtually undetected by most antimalware engines despite the operation lasting nearly five months.

INDICATORS OF COMPROMISE

HTMLFa5f4847181550f1332f943882bc89ab48302a3d6d6efc1a364b2af7dec119b250d308118008908832fe9c7fa78169ef8aaa960450c788a2c41af0eb5e0a62dbF3b17523ef01ccf96faa276ec78f774831d9747f1e8effac902c04ec51408cc5A0989ec9ad1b74c5e8dedca4a02dcbb06abdd86ec05d1712bfc560bf209e3b39A4565fbb5570c30085fb77c674b4f1b7d069bdd2350747304efc911c905c3e3143b0cf93776bbdd72d582b9ed5a95d015ca682ca2d642e9509d374c79cca098e159ef0dcef607e1ce0996c565a5f3e82a501dcf1b6063c03ee8d30137e77d743C24a0a1bf44d6b4c59ba752df79cef3c42c84f574072336320deba29b1b9100c1a3c935784376edd36d7d486307df5f628841ee49189dbaf643d21d00a84cef38a67bb1e9eb625935b02c504dd4fced1d12f0b4b7784eeaf0bd94e1c741ee99a3730660dd06fdae513b757199be9846d1e022d5d70c1f246a583c55f19b8724275b4ab33e788181c36cfde764254e9e7c4d1a981b7832bbc60009fcdec7f586cE4ad32aa6d0f839342fc22b71530f04a4ab756e15f35707654828360fbd0aeefA02aa1c7d3e066a9e45266e4279ec2b433003bc570406e6770bd4ff22a91902e6f7f33619daa8226b9d17bcf4972b77ac448b8b11e394b9633cd4177434cf24fD25f66ed468c20472354ee60c4c1d0ecbe0c0e5f6515263e4f7146224b72f0a2b3b17bd9b11b502ec01308952bf74cf80618b4c75269c7d833fc381d75635a43Afef7b47f0cb7ab0ff30d2cc887381e1745c7536a123098633a4e31ebbcc60cb55f4d7297800a4a4142be065e1674229cb1b120e8ade7b4ff7938affcfdb85c6B545bcc50adce9c788034f230c48a3c1a528874399226d12ca2d5395f6af00c1
AsyncRAT58BEE75D7A00CA8D8C0E9FBBC8ADA035B82DE90CBACF63F1AC7E1DB0E771AA28B49F3B8AAE24C6AE2026E86A1D12F2487DD768C1326BFC7E3BB610DB7A0E857B39FEF91CA4778FA05C5A4081F772B47E5728B61D37358707DF5F45717D0B2A8CAD506EAE3573368A97ECE57F9FB38AF83E16AD4D0273633CA57FBAE991A90C0AE8BF9507841E5873D248EBDD303D499762D10B59F90BE56441E068FBA28AB6D9 206159F87A621F278D884539B21E1EBABCF7C250E94935D5BA72F5B25D3EB777BC59B8C66B46AE091A1A81FA88172C8736F83B75904FFE8A21D098D3F4AAD244D445D834E59E52B133C15B6E77F0633B32B2932282D66AB93777FEFED07342D42E8BC122CD796D2D9D12C30245E5DF506902E5600449274690246287F03FABED907BF4192509BA05DE03D98005053E7E46C884A3A5C7FE4CC002CF87F67359B3F0CFA28585CA50CD64E6A618F5629EB39391BA0697D0604989C7DAC00946A59957EE165285FBB3FE294D7155B033F32AB8D343055BA7BA8D90C810E143E53AD9
c2Pop11.ddns[.]net:6666Wthcv.sytes[.]net:74002pop.ddns[.]net:666611l19secondpop.ddns[.]net:6666Newsa.ddns[.]net:6606Elliotgateway.ddns[.]net:5555Python.myvnc[.]com:7707Newopt.servehttp[.]com:7707Nomako.ddns[.]net:6606Python.blogsyte[.com:6606
Emails1241b9486d3d7c74c0bb1f2a7bdd81ff9597b2c92f2af8a5b3819b296c400336D67bd08e03a5e2054aae8458b0c549cec2f988a9e703d3ed755626d840990a0e845c7c30fb7c1ca0de473f7e9d41c2b1a337d5e4919854461da6002e1fbc8fa3

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s