Threat Research

Unmasking AsyncRAT New Infection Chain | McAfee Blog

Securonix

McAfee Labs details a stealthy AsyncRAT campaign distributed via a malicious HTML file, leveraging multiple script types to evade detection. The infection chain culminates in RegSvcs.exe process injection, keylogging, credential and browser data theft, and data exfiltration to a remote server. #AsyncRAT #RegSvcs #PowerShell #VBScript

Keypoints

  • AsyncRAT campaign spread through a malicious HTML file embedded in spam email, using diverse file types to bypass antivirus detection.
  • Infection chain starts with a malicious URL that downloads an HTML file containing an embedded ISO, which hosts a Windows Script File (WSF) and triggers PowerShell/VBScript/BAT execution.
  • The WSF file connects to external URLs to fetch PowerShell scripts, expanding the attack surface with staged payloads.
  • A PowerShell script drops four files (two PowerShell scripts, one VBS, one BAT) in ProgramData/xral and creates a scheduled task for persistence, with subsequent file-chain execution to evade detection.
  • Final PowerShell stage injects a hex-encoded PE into RegSvcs.exe via Reflection Assembly loading, enabling covert operation under a trusted Windows service.
  • Infected RegSvcs.exe connects to a C2 server, implements keylogging, collects credentials and browser data, searches for crypto-related information, and exfiltrates data over TCP to a remote IP/port.

MITRE Techniques

  • [T1566.001] Spearphishing Link – A recipient receives a spam email containing a nefarious web link. Bracket content: “A recipient receives a spam email containing a nefarious web link.”
  • [T1105] Ingress Tool Transfer – The infection chain uses external URLs to fetch payload components (PowerShell, VBScript, BAT) from remote servers. Bracket content: “The URL ‘hxxp://45.12.253.107:222/f[.]txt’ retrieves a text file that contains PowerShell code.”
  • [T1059.001] PowerShell – PowerShell scripts are used to execute payloads and stage actions retrieved from remote URLs. Bracket content: “The initial PowerShell code subsequently establishes a connection… and retrieves the second PowerShell file.”
  • [T1059.005] Visual Basic – VBScript (VBS) is used within the infection chain to process or run components. Bracket content: “PowerShell, Windows Script File (WSF), VBScript (VBS), and more…”
  • [T1053.005] Scheduled Task – The PowerShell script creates a scheduled task for persistence. Bracket content: “establishing a scheduled task to achieve persistence.”
  • [T1055] Process Injection – Final stage injects a hex-encoded PE into RegSvcs.exe using Reflection Assembly load. Bracket content: “injection into the legitimate process… The process injection is accomplished through the Reflection Assembly load functionality.”
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated over TCP to a remote IP and port. Bracket content: “Data is exfiltrated over TCP to an IP address and port.”
  • [T1056.001] Input Capture – Keylogging capabilities are implemented to record user activity. Bracket content: “keylogging capabilities. It recorded all activities performed on the system… ‘log.tmp’ file.”
  • [T1555.003] Credentials from Web Browsers – Theft of credentials and browser-related data. Bracket content: “the theft of credentials and browser-related data.”
  • [T1027] Obfuscated/Compressed Files and Information – The PowerShell/WSF chain obfuscates content to avoid detection. Bracket content: “obfuscated the process name, which will be revealed after performing a replacement operation.”

Indicators of Compromise

  • [File] HTML – 83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3 – Context: initial HTML payload delivered via malicious email
  • [File] ISO – 97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62 – Context: ISO embedded within HTML file
  • [File] WSF – ac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a – Context: WSF script used to orchestrate downloads
  • [File] PS1 – 0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531, f123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99 – Context: PowerShell payloads dropped during stages
  • [File] VBS – 34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce – Context: VBScript used in the chain
  • [File] BAT – 1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08 – Context: BAT file used in the chain
  • [URL] hxxp://45.12.253[.]107:222/f[.]txt – Context: URL delivering the first PowerShell payload
  • [URL] hxxp://45.12.253[.]107:222/j[.]jpg – Context: URL delivering the second PowerShell payload
  • [IP] 45.12.253.107:8808 – Context: destination for exfiltrated data over TCP

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint