AsyncRAT Being Distributed as Windows Help File (*.chm) – ASEC BLOG

MITRE Techniques

• [T1218] Mshta – This script uses mshta to execute a malicious command that exists in the address “hxxps://2023foco.com[.]br/plmckv.hta”.
• [T1059.001] PowerShell – The PowerShell command can be seen once it is unobfuscated and is used to load and execute payloads.
• [T1059.005] VBScript – The malicious VBScript has fragmented strings to evade detection, and is responsible for executing PowerShell commands.
• [T1105] Ingress Tool Transfer – Powershell downloads and executes vbs/hta from remote URLs as part of the dropper chain.
• [T1055] Process Injection – The loaded DLL receives data from a URL and is executed within the RegAsm.exe process in memory.
• [T1547.001] Startup Items – v.hta creates startup programs to achieve persistence via startup LNK entries.
• [T1023] Shortcut Modification – An LNK file is created in the Startup folder to launch the v.vbs file and mimic a legitimate icon.
• [T1071] Application Layer Protocol – C2 communications are established to the server at 51.79.116[.]37:8848 for command and control.
• [T1567.002] Exfiltration to Email – Screenshots are captured and sent to the threat actor via SMTP as part of data exfiltration.
• [T1497] Virtualization/Sandbox Evasion – Anti-VM checks are employed to avoid execution in virtualized environments.
• [T1056] Input Capture – Keylogging is implemented to harvest user input for credentials or sensitive data.