Threat Research

Tracking the Rise of Non-PE Cyber Threats: From Spam to AsyncRAT

McAfee

AsyncRAT is a sophisticated multi-stage malware campaign uncovered by McAfee that starts with spam email serving an HTML attachment, then deploys a Windows Script File and multiple script-types before culminating in a process injection into aspnet_compiler.exe. The report details its stealthy persistence, anti-analysis tricks, and a final payload set delivered as obfuscated PE binaries, with recommendations for user training and secure gateways. #AsyncRAT #AsynchronousRemoteAccessTrojan #ConfuserEx #ASPNetCompiler

Keypoints

  • The infection begins with a spam email containing an HTML page attachment that triggers the attack.
  • An automatic download of a Windows Script File (WSF) follows the HTML page open, masquerading as legitimate content.
  • The WSF file then leads to deployment of VBScript (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files to broaden the infection surface.
  • The chain culminates in a process injection targeting aspnet_compiler.exe to run the final payload inside a legitimate process.
  • The attack uses a disguised order-related document, blank lines, and obfuscated content to evade detection.
  • A scheduled task named “cafee” is created to execute app.js every 2 minutes for persistence.
  • The final payload comprises two PE files (a DLL packed with ConfuserEx and an obfuscated EXE, AsyncClient123) used for C2 and data exfiltration.
  • McAfee highlights mutex usage, anti-analysis code, and C2 communications as core evasion and persistence techniques.
  • MITRE-style attack steps include phishing, scripting execution, scheduled tasks, process injection, and C2 comms, with a focus on persistence and evasion.

MITRE Techniques

  • [T1566.001] Phishing – The infection initiates through a spam email containing an HTML page attachment. ‘The infection initiates through a spam email containing an HTML page attachment.’
  • [T1059] Command and Scripting Interpreter – The HTML file initiates the download of a WSF file and deployment of VBS, JS, BAT, TXT, and PS1 files. ‘The HTML file initiates the download of a WSF file. Disguised as an order-related document with numerous blank lines, the WSF file conceals malicious intent.’
  • [T1059.001] PowerShell – Powershell (PS1) files are used in the chain. ‘PowerShell (PS1) files.’
  • [T1059.005] VBScript – Deployment of Visual Basic Script (VBS) is part of the infection chain. ‘…deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files.’
  • [T1059.007] JavaScript – Deployment of JavaScript (JS) is part of the infection chain. ‘…deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files.’
  • [T1036] Masquerading – The WSF is disguised as an order-related document with blank lines to entice execution. ‘Disguised as an order-related document with numerous blank lines…’
  • [T1105] Ingress Tool Transfer – The WSF leads to downloading and chaining additional payloads (1.txt, r.jpg, ty.zip). ‘The downloaded text file, named “1.txt,” contains specific lines of code… download another file, referred to as “r.jpg,” but it is actually saved in the public folder under the name “ty.zip.”’
  • [T1053.005] Scheduled Task – The command sets up a scheduled task ‘cafee’ to run app.js every 2 minutes for persistence. ‘This sets up a scheduled task called “cafee” which is designed to execute the “app.js” script… every 2 minutes.’
  • [T1055] Process Injection – Injection into aspnet_compiler.exe for payload execution. ‘Process injection in aspnet_compiler.exe.’
  • [T1055] Process Injection (contextual) – The final binaries (DLL and EXE) are injected to execute within a trusted process. ‘Process injection in aspnet_compiler.exe.’
  • [T1071.001] Web Protocols – C2 communication established with a remote server. ‘Establishes a connection with the server.’
  • [T1120] Deobfuscate/Decode Files or Information – Decrypting functions decode strings used by the final payload. ‘The decrypting function is used to decrypt strings.’

Indicators of Compromise

  • [Hash] HTML – 969c50f319a591b79037ca50cda55a1bcf2c4284e6ea090a68210039034211db
  • [Hash] WSF – ec6805562419e16de9609e2a210464d58801c8b8be964f876cf062e4ab52681a
  • [Hash] ty.zip – daee41645adcf22576def12cb42576a07ed5f181a71d3f241c2c14271aad308b
  • [Hash] basta.js – 909ec84dfa3f2a00431a20d4b8a241f2959cac2ea402692fd46f4b7dbf247e90
  • [Hash] node.bat – 569e33818e6af315b5f290442f9e27dc6c56a25259d9c9866b2ffb4176d07103
  • [Hash] app.js – 7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
  • [Hash] t.bat – e2d30095e7825589c3ebd198f31e4c24e213d9f43fc3bb1ab2cf06b70c6eac1d
  • [Hash] t.ps1 – a0c40aa214cb28caaf1a2f5db136bb079780f05cba50e84bbaeed101f0de7fb3
  • [Hash] exe – 0d6bc7db43872fc4d012124447d3d050b123200b720d305324ec7631f739d98d
  • [Hash] dll – b46cd34f7a2d3db257343501fe47bdab67e796700f150b8c51a28bb30650c28f
  • [URL] C2 – hxxp://142.202.240[.]40:222/1.txt, hxxp://142.202.240[.]40:222/r.jpg

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint