Investigating the Delivery of AsyncRAT and Infostealer Plugins via Phishing Techniques

eSentire’s Threat Response Unit (TRU) investigated an AsyncRAT infection delivered via phishing emails that used a Windows Script File to drop further payloads, including an info stealer plugin for browsers and crypto wallets. The TRU contained the incident, removed artifacts, and provided prevention guidance highlighting email as an effective malware delivery method. Hashtags: #AsyncRAT #Infostealer #Kaseya #more_eggs #MetaMask #Phishing

Keypoints

  • eSentire operates 24/7 Security Operations Centers (SOCs) staffed by elite threat hunters and cyber analysts.
  • TRU observed an AsyncRAT infection stemming from a Windows Script File delivered via email.
  • The malicious payload is a .wsf file that downloads and executes additional scripts and batch files.
  • AsyncRAT includes remote access capabilities and an info stealer plugin targeting multiple browsers and cryptocurrency wallet extensions.
  • The TRU team contained the infection and provided recommendations for future prevention.
  • Email remains a viable delivery vector for malware and information-stealing campaigns.

MITRE Techniques

  • [T1566.001] Phishing – Phishing email used to deliver malware. Quote: (‘phishing email used to deliver malware’).
  • [T1059.001] PowerShell – The PowerShell script YXRPNPSMGCOBEURV.ps1 creates a scheduled task named “MicrosoftEdgeUpdate500” … every 2 minutes starting from the current time. Quote: (‘creates a scheduled task named “MicrosoftEdgeUpdate500” on a Windows system using the Task Scheduler COM API. This task is created to run a VBS script located at C:UsersPublicWCQCMXNSFCHWESFW.vbs every 2 minutes starting from the current time.’)
  • [T1059.005] VBScript – The VBScript does the following: uses Start-BitsTransfer to download a file; expands a ZIP; executes a VBScript; deletes the ZIP. Quote: (‘Uses Start-BitsTransfer to download a file from hxxp:// 104.243.37[.]35:222/bfbupdeuiterborm/lAOdPuUqwXLVFvqT.jpg … and then expands, executes, and cleans up.’)
  • [T1105] Ingress Tool Transfer – The VBScript downloads a file from a remote server to stage the infection. Quote: (‘The VBScript does the following: Uses Start-BitsTransfer to download a file from …’)
  • [T1055.012] Process Hollowing – The first embedded binary NewPE2.dll injector performs process hollowing on RegAsm.exe. Quote: (‘The first embedded binary “NewPE2.dll” … performs process hollowing on the RegAsm.exe process.’)
  • [T1027] Obfuscated/Compressed Files and Information – Strings used for process injection are obfuscated via multi-step transformations. Quote: (‘The strings referencing the APIs used for process injection are obfuscated by replacing specified placeholders with binary digits, reversing the order, filtering out non-binary characters, and then interpreting them as ASCII characters.’)
  • [T1053.005] Scheduled Task – The PowerShell PS1 creates a scheduled task to repeatedly run a script. Quote: (‘creates a scheduled task named “MicrosoftEdgeUpdate500” … to run a VBS script … every 2 minutes’)
  • [T1059.001] PowerShell (duplicate emphasis) – PowerShell-driven steps including creating tasks and triggering subsequent script execution. Quote: (‘The PowerShell script … creates a scheduled task …’)
  • [T1041] Exfiltration – Data exfiltration targeting browsers and cryptocurrency wallets via the info stealer plugin. Quote: (‘Data exfiltration targeting browsers and cryptocurrency wallets.’)

Indicators of Compromise

  • [MD5] – 154cc0f462c85b494a45b7531f3a9f03, and dcce5bc3e27295a1cbe13a411244fe93 – MD5 hashes for the .wsf file and the NewPE2.dll injector (example context: payloads used in the AsyncRAT delivery chain).
  • [URL/IP] – http://104.243.37.35:222/bfbupdeuiterborm/uzopuzbkrpcziwca.txt, and 104.243.37.35:222 – remote VBScript source and download location.
  • [File Name] – lAOdPuUqwXLVFvqT.jpg, bktpnecuahtazdbo.zip, IRUAHCKDFAFDCHUV.vbs, CEIULUDEZFCEVSMM.bat, YXRPNPSMGCOBEURV.ps1, WJVIQQFZMZLSZTJJ.bat, NBUBMHCZJLEJXGVW.ps1, regasm-related process (injection) – examples of artifacts observed.
  • [MD5] – 1eefdb23f7c63922756eafb532127b8e, ac0f2aa2c5caf791f0310c2c07a1e1c3, 315bc30cd580b750b4afc294fa38a8bc, ec348cf15e839b8912862352bc916d22 – additional file hashes for VBS, BAT, PS1 scripts.
  • [DLL] – dcce5bc3e27295a1cbe13a411244fe93 – NewPE2.dll injector used for process hollowing.
  • [Browser Extension ID] – nkbihfbeogaeaoehlefnkodbefgpgknn, bfnaelmomeimhlpmgjnjophhpkkoljpa, fhbohimaelbohpjbbldcngcnapndodjp, ibnejdfjmmkpcnlpebklmnkoeoihofec, jiidiaalihmmhddjgbnbgdfflelocpak – common crypto wallet/browser extensions involved.
  • [App Extension ID] – bhghoamapcdpbohphigoooaddinpkbai, ocglkepbibnalbgmbachknglpdipeoio – authenticator/2FA extensions observed.

Read more: https://www.esentire.com/blog/exploring-asyncrat-and-infostealer-plugin-delivery-through-phishing-emails