AsyncRAT is being distributed via WSF script files delivered in ZIP archives embedded in phishing emails. The dropper chain downloads VBScript, then a .jpg ZIP file, and ultimately loads a PowerShell-based, fileless backdoor that exfiltrates data and maintains persistence. #AsyncRAT #PowerShell
Keypoints
- AsyncRAT campaigns have shifted to WSF-script delivery packaged in ZIPs obtained from email links.
“The WSF file was found to be distributed in a compressed file (.zip) format through URLs contained within emails.” - The WSF script downloads a Visual Basic script (Error.vbs) and then a JPG file which is actually a ZIP archive containing additional payloads.
“When this script is executed, a Visual Basic script is downloaded and run… The file is a .jpg file (a zip file disguised as a jpg file).” - Decompression yields multiple components (Error.vbs, Error.bat, Error.ps1, pwng.bat, pwng.ps1) that execute in sequence, culminating in a fileless attack.
“The downloaded zip file contains many other scripts aside from the Error.vbs file… The remaining files (bat, ps1) are all executed in order.” - pwng.ps1 converts strings into a .NET binary and injects it into aspnet_compiler.exe, enabling a fileless backdoor.
“pwng.ps1 which is executed last converts the contained strings into a .NET binary before loading and executing the binary. It runs by executing a legitimate process (aspnet_compiler.exe) and injecting a malicious binary into this process.” - Persistence is maintained via scheduled tasks, registry modifications, and self-terminating bat files.
“1. Maintaining Persistence – Using schtasks to add a scheduled task – Adding a registry – Creating a bat file that executes and terminates itself.” - Data exfiltration targets system information, browser data, and cryptocurrency wallets, with the C2 channel encoded and using multiple ports.
“2. Exfiltrating Information… Cryptocurrency wallet information… The threat actor combines this C2 domain and multiple port numbers to make multiple connection attempts.” - Detection names include several PowerShell/VBScript/Backdoor/Win.AsyncRAT indicators, with the same AsyncRAT payload observed across variants.
“Backdoor/Win.AsyncRAT (2022.07.12.00)”
MITRE Techniques
- [T1053.005] Scheduled Task – Maintains persistence by using schtasks to add a scheduled task. Quote: ‘Using schtasks to add a scheduled task’
- [T1112] Modify Registry – Adds registry entries to achieve persistence. Quote: ‘Adding a registry’
- [T1548.002] Bypass User Account Control – Bypasses UAC to elevate privileges. Quote: ‘Bypassing UAC’
- [T1059.001] PowerShell – pwng.ps1 is a PowerShell script used in the chain. Quote: ‘pwng.ps1: PowerShell script’
- [T1055] Process Injection – Injects a malicious binary into a legitimate process (aspnet_compiler.exe). Quote: ‘injecting a malicious binary into this process’
- [T1036] Masquerading – The ZIP file is disguised as a JPG to evade detection. Quote: ‘a .jpg file (a zip file disguised as a jpg file)’
- [T1071.001] Web Protocols – Uses a C2 domain and multiple ports for command and control. Quote: ‘The threat actor combines this C2 domain and multiple port numbers to make multiple connection attempts’
- [T1041] Exfiltration – Exfiltrates system and wallet data via C2. Quote: ‘Exfiltrating Information – Computer information: OS version, users, anti-malware product list, etc.’
Indicators of Compromise
- [IOC Type] MD5 – 750dc2354b0454eafd66900687a0f7d6, 790562cefbb2c6b9d890b6d2b4adc548, and 6 more hashes
- [IOC Type] C2 – hxxp://185.81.157[.]242:222/c.txt, hxxp://185.81.157[.]242:222/x.jpg, and 3 more items
Read more: https://asec.ahnlab.com/en/59573/