Hackers Using New Evasive Technique to Deliver AsyncRAT Malware


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A new, sophisticated phishing attack has been observed delivering the AsyncRAT trojan as part of a malware campaign that's believed to have commenced in September 2021.

"Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted connection," Michael Dereviashkin, security researcher at enterprise breach prevention firm Morphisec, said in a report.

The intrusions commence with an email message containing an HTML attachment that's disguised as an order confirmation receipt (e.g., Receipt-<digits>.html). Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file.

But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process.

"The ISO download is not generated from a remote server but from within the victim's browser by a JavaScript code that's embedded inside the HTML receipt file," Dereviashkin explained.

When the victim opens the ISO file, it is automatically mounted as a DVD Drive on the Windows host and includes either a .BAT or a .VBS file, which continues the infection chain to retrieve a next-stage component via a PowerShell command execution.

This results in the execution of a .NET module in-memory that subsequently acts as a dropper for three files — one acting as a trigger for the next — to finally deliver AsyncRAT as the final payload, while also checking for antivirus software and setting up Windows Defender exclusions.