Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter

MITRE Techniques

• [T1059.005] VBScript – The VBS contains junk data and uses string replacement to attempt to obfuscate the executed code. Quote: ‘The VBS contains junk data and uses string replacement to attempt to obfuscate the executed code.’
• [T1059.001] PowerShell – Stage 2 retrieval uses a PowerShell script passed to the Invoke-Expression (IEX) cmdlet and executed to continue the infection process. Quote: ‘the retrieved content is a PowerShell script passed to the Invoke-Expression (IEX) cmdlet and executed to continue the infection process.’
• [T1059.003] Windows Command Shell – Stage 2 creates multiple scripts including Office.bat, Office.vbs, and Office.ps1 (as well as Microsofd.* variants). Quote: ‘The following files are created in this manner: Office.bat Office.vbs Office.ps1 Microsofd.bat Microsofd.vbs Microsofd.ps1.’
• [T1053.005] Scheduled Task – The infection chain creates a new Scheduled Task named ‘Office’ that runs immediately and then every two minutes for persistence. Quote: ‘The next PowerShell script attempts to achieve persistence by creating a new Scheduled Task called “Office” that is executed immediately and then repeated every two minutes.’
• [T1055] Process Injection – The final payload is injected and executed via a process injection step using aspnet_compiler.exe. Quote: ‘This is accomplished by invoking aspnet_compiler.exe, injecting the final payload, and executing it.’
• [T1027] Obfuscated/Compressed Files and Information – The new 3LOSH crypter embeds binary payloads using GZIP compression rather than Base64, with a common decompression function. Quote: ‘Binary payloads are now embedded using GZIP compression rather than simply Base64 encoded’.
• [T1071] Application Layer Protocol – The campaigns use the same infrastructure for post-compromise C2 communications, indicating a shared command-and-control channel. Quote: ‘the same infrastructure for post-compromise C2 communications.’