AsyncRAT is being distributed in a fileless form via phishing emails, where a compressed attachment leads to an HTML file that generates a malicious ISO containing VBScript and BAT components. The infection chain culminates in a PowerShell-based loader that injects AsyncRAT into a legitimate process and communicates with a remote C2, while employing obfuscation and scheduled tasks for persistence. Hashtags: #AsyncRAT #AhnLab #DuckDNS #PowerShell #VBScript
Keypoints
- AsyncRAT is distributed in a fileless form via phishing emails with a compressed file attachment (‘distributed AsyncRAT is distributed as a compressed file attachment in emails’).
- An HTML file within the ZIP/package generates a malicious ISO file that contains VBScript and BAT files.
- The delivery chain uses five script files (VBScript, BAT, and PS scripts) orchestrated to execute sequentially and achieve execution.
- The last script performs a process injection into a legitimate process (C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe) to run AsyncRAT.
- AsyncRAT features include anti-VM, keylogging, and remote shell, with C2 communications to vrln200.duckdns.org:6666.
- PowerShell is used to download and execute a remote payload via an obfuscated command (hxxps://aga12[.]ir/ico.png).
- ISO-based distribution and fileless execution make detection harder; IOCs include several file hashes, domains, and file names (e.g., Receipt.iso, Paid_invoice.iso).
MITRE Techniques
- [T1566.001] Spearphishing Attachment – distributed AsyncRAT is distributed as a compressed file attachment in emails (‘distributed AsyncRAT is distributed as a compressed file attachment in emails.’)
- [T1059.005] VBScript – VBScript executes the bat file generated alongside it and the bat file executes an obfuscated command (‘The VBScript executes the bat file generated alongside it and the bat file executes an obfuscated command.’)
- [T1059.003] Windows Command Shell – The decoded command runs via CMD.EXE /C POWERSHELL.EXE (‘CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]]…’)
- [T1059.001] PowerShell – The decoded PowerShell command suite executes a malicious PowerShell payload (‘the PowerShell command additionally executes another PowerShell command existing in a certain path.’)
- [T1053.005] Scheduled Task/Job – The drop uses the Windows task scheduler to run scripts every 3 minutes (‘registering the file C:ProgramDataExpressxx.vbs on the task scheduler… run every 3 minutes’).
- [T1055] Process Injection – The final stage injects AsyncRAT into a legitimate process (path: C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe) (‘performs an injection on a normal process (C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe).’)
- [T1071.001] Web Protocols – The C2 channel uses a domain/URL for command and control (C2: vrln200.duckdns.org:6666) (‘C2 Decryption’ and related content show the C2 endpoint: vrln200.duckdns[.]org:6666′).
- [T1497] Virtualization/Sandbox Evasion – Anti-VM capability hints at sandbox evasion (‘Anti VM’).
- [T1027] Obfuscated/Compressed Files and Information – The payload uses obfuscated/encoded PowerShell commands (‘…obfuscated command’).
Indicators of Compromise
- [Hash] 9e0d553e520083e2f90a8e3bb524f417 – example hash for one of the dropped components (file-level indicator)
- [Hash] ac64ee0dea61fb0f596e3296f91462e5 – another sample hash from the dropped payload family
- [Domain/URL] hxxps://aga12[.]ir/ico.png – remote payload URL used in the obfuscated PowerShell command
- [Domain/URL] vrln200.duckdns[.]org:6666 – C2 server for AsyncRAT communications
- [File Name] Receipt.iso, Paid_invoice.iso – ISO-based dropper file names used to disguise payloads
- [File Path] C:ProgramDataExpressxx.vbs, C:ProgramDataExpressxx.bat, C:ProgramDataExpressCotrl.vbs, C:ProgramDataExpressCotrl.bat, C:ProgramDataExpressCotrl.ps1 – script chain components
Read more: https://asec.ahnlab.com/en/37954/