Threat Research

Distribution of AsyncRAT Disguised as Ebook

Ahnlab

AsyncRAT is described as being distributed disguised as ebook-type files, leveraging LNK/PowerShell-based dropper chains and multiple methods to deploy the RAT. The campaign deploys scheduled tasks, obfuscated scripts, and download steps to reach AsyncRAT, which features anti-VM/anti-AV, persistence, and data exfiltration via a C2 server (stevenhead.ddns.net). #AsyncRAT #AhnLab #PowerShell #VBScript #AutoHotkey #LNK #WorldProcure #stevenhead_ddns_net

Keypoints

  • AsyncRAT delivery is disguised as ebook-related files and can use various file extensions to bypass expectations (e.g., .chm, .wsf, .lnk).
  • An LNK file contains malicious commands and reads RM.TXT to trigger execution of a PowerShell-based dropper.
  • RM.TXT is mostly meaningless strings designed to conceal a malicious PowerShell script that hides a downloader.
  • Method1 decompresses 4.mkv, registers a Task Scheduler entry, and uses a VBS file to run a PowerShell script that loads obfuscated PE files and launches AsyncRAT.
  • Method2 decompresses 5.mkv, registers a task named “BitTorrent,” and uses AutoHotKey via batch to download AsyncRAT from a remote URL.
  • Method3 decompresses 8.mkv, registers a Task Scheduler entry named “USER ID Converter,” and runs an obfuscated PowerShell script that ultimately executes AsyncRAT in the same directory.
  • AsyncRAT itself includes Anti-VM/Anti-AV, persistence, and data exfiltration, and it is distributed via phishing and file-sharing sites with C2 at stevenhead.ddns.net and a download URL worldofprocure.rar.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The campaign can be distributed via phishing emails and shared on file-sharing sites, disguising the payload as an ebook. – “the type that is disguised as a normal book can not only be distributed via phishing emails but also shared on file-sharing websites.”
  • [T1105] Ingress Tool Transfer – The dropper ultimately downloads AsyncRAT from a URL to execute it. – “downloads AsyncRAT from the URL shown below to run it.”
  • [T1059.001] PowerShell – The obfuscated PowerShell script is used to run the downloader and AsyncRAT. – “The executed PowerShell script … loads the blf files … which are obfuscated PE files and executes AsyncRAT.”
  • [T1027] Obfuscated/Compressed Files or Information – RM.TXT contains meaningless strings to conceal the malicious PowerShell script and the dropper uses obfuscated code. – “RM.TXT consists mostly of meaningless strings to conceal the malicious PowerShell script. The actual script changes the property of the folder containing the downloader malware to hidden and executes an obfuscated script.”
  • [T1053.005] Scheduled Task – Method1 and others register task scheduler entries to execute scripts. – “registers the XML file that executes the ‘NTUSER.BAT{428f9636-1254-e23e3-ada2-03427pie23}.TM.VBS’ script under the name ‘BitTorrent Certificate’ to the Task Scheduler.”
  • [T1059.005] Visual Basic – VBScript is orchestrated via VBS and bat to launch payloads. – “The VBS script executes the AutoHotKey script through the batch file and ultimately downloads AsyncRAT.”
  • [T1497] Virtualization/Sandbox Evasion – AsyncRAT includes anti-VM/anti-AV features to evade detection. – “AsyncRAT that is executed in the end has features such as AntiVM, AntiAV, maintaining persistence, and exfiltrating user information.”
  • [T1071.001] Web Protocols – C2 communications are conducted via a domain C2 server (stevenhead.ddns.net). – “C&C Server – stevenhead.ddns[.]net”

Indicators of Compromise

  • [MD5] Hashes – dea45ddf6c0ae0f9f3fde1bfd53bc34f, b8d16e9a76e9f77975a14bf4e03ac1ff, and 3 more hashes
  • [File Name] Files – RM.TXT, worldofprocure.rar, and 2 more
  • [Domain] C2 domain – stevenhead.ddns[.]net
  • [URL] Download URL – hxxps://worldofprocure[.]com/worldofprocure.rar
  • [File Name] VideoVLC_subtitles.exe – example file involved in the dropper chain

Read more: https://asec.ahnlab.com/en/67861/