eSentire’s TRU team uncovered a multi-stage AsyncRAT deployment delivered via HTML smuggling, culminating in process hollowing and injector use to run AsyncRAT inside legitimate Windows processes. The operation starts with a phishing email, HTML/JavaScript loading a base64 ZIP and VBS, then PowerShell and injector payloads, and ends with C2 communication and specific IOCs.
Keypoints
- TRU investigated suspicious execution of a VBS file that retrieves AsyncRAT.
- HTML smuggling via an .htm phishing attachment delivers obfuscated JavaScript leading to a base64 ZIP with a VBS payload.
- VBS downloads a PowerShell script from buypropertyinuae[.]com/.QnWrd9ratf6jwsVf.txt and executes it, creating persistence and a scheduled task.
- Payload path checks for McAfee or Norton, downloading .M1.jpg or .N1.jpg payloads (or .O1.jpg otherwise) to host AsyncRAT payloads.
- AsyncRAT payloads are injected via ProjFUD (alosh_rat) injectors using process hollowing into RegSvcs.exe and aspnet_compiler.exe (T1055.012).
- TRU isolated affected hosts and provided recommendations; IOCs include specific file names, domains, and C2s.
MITRE Techniques
- [T1566.001] Phishing with attachment – The user received a phishing email containing an .htm file. “The user received a phishing email containing an .htm file.”
- [T1059.007] JavaScript – The .htm file contains the JavaScript code shown below. “The .htm file contains the JavaScript code shown below.”
- [T1027] Obfuscated/Compressed Files and Information – The VBS file contains simple string replacements and splits used as obfuscation. “The VBS file contains simple string replacements and splits used as obfuscation.”
- [T1027.006] HTML Smuggling – HTML smuggling to hide and deliver malicious code via HTML/JavaScript; tricking a web app into loading and executing malicious JavaScript. “HTML smuggling is a technique used by attackers to hide and deliver malicious code to a victim’s browser through seemingly benign HTML and JavaScript. The attack involves tricking a web application into loading and executing malicious JavaScript code.”
- [T1059.005] VBScript – The VBS file and its obfuscated content are executed as part of the chain. “The VBS file contains simple string replacements and splits used as obfuscation.”
- [T1105] Ingress Tool Transfer – The VBS script downloads a file from the URL hxxps://buypropertyinuae[.]com/.QnWrd9ratf6jwsVf.txt and executes it. “downloads a file from the URL …”
- [T1053.005] Scheduled Task – The PowerShell chain creates a scheduled task named “IExMWhats22” to run the VBS and repeats every 2 minutes. “Creates a scheduled task named ‘IExMWhats22’ that executes the VBS file and then repeats every 2 minutes.”
- [T1055.012] Process Hollowing – The payload injects into RegSvcs.exe and aspnet_compiler.exe via process hollowing. “injects the payload into the new process (RegSvcs.exe) via process hollowing (T1055.012).”
- [T1218.011] Signed Binary Proxy Execution: Regsvcs – The injector targets RegSvcs.exe using hollowing to execute the payload. “via process hollowing (T1055.012) … RegSvcs.exe”
- [T1566.001] Phishing with attachment (reiterated) – Initial phishing vector delivering the HTML file used for HTML smuggling.
Indicators of Compromise
- [File] Initial infection artifacts – Rep_3414316295577.htm, 6d9911e508303e4021ba30a986b7ac86, rep_FormYIVEZDN698068.vbs
- [File] PowerShell/PS1 payloads – N1.jpg, M1.jpg, and O1.jpg – 0347caf3f2cc9a359aaf00b773ad1a7a and 54739cbd63033b96aa9ca700dee47d03
- [Domain] Payload hosting server – buypropertyinuae[.]com
- [File] IEEAstra22.vbs – 1d49c3fce73c4e869777ff771ddf95bb
- [File] AsyncRAT binaries – 0ce63d48fb37d73670d6ab8c2607caaf and 66937c305da3e721dfbbaddabaabad6f
- [Injector] NewPE Injector – d08f3729495ae6ed7e5d63e605c80cb1
- [Injector] ProjFUD (alosh_rat) – 721166cf77ccb062fc7ab650327a28a5
- [C2] AsyncRAT C2 – mr1robot11.ddns[.]net, tox11.ddns[.]net
- [Software] McAfee presence indicator – C:Program FilesCommon Files McAfeePlatformMcUICnt.exe
- [Software] Norton presence indicator – C:Program FilesNorton Securityisolate.ini