Researchers have discovered a new sophisticated campaign delivery technique capable of evading several security vendors. The campaign is delivering AsyncRAT to remotely monitor and control the targeted systems.

What’s the new campaign about?

  • According to Morphisec researchers, the ongoing campaign has been active for around five months with the earliest incident traced back to September 12, 2021. 
  • In most cases, the victims receive an email message with an HTML attachment in the form of a receipt. If opened, the recipient sees a web page requesting them to save a downloaded ISO file. 
  • The ISO is not downloaded from a remote server but created within the victim’s browser by using the JS code embedded in the HTML receipt file.

Moreover, the malware campaign has one of the lowest detection rates, according to VirusTotal.

A three-staged operation

The researchers have further described how the above-mentioned JS code generates files in three stages:
  • In the first stage, once the user opens the generated ISO, it is automatically mounted as a DVD Drive that includes a .bat or .vbs file. These files download/execute PowerShell process execution.
  • In the second stage, the PowerShell is executed, which is responsible for multiple tasks such as establishing persistence, executing a dropped .vbs file, and injecting the DotNET module payload in-memory.
  • In the third stage, the injected DotNET module fills the role of a dropper. The dropper creates three files, Net[.]vbs, Net[.]bat, and Net[.]ps1.
  • At last, AsyncRAT is delivered as the final payload that hides inside a genuine DotNet process (aspnet_compiler[.]exe).

Conclusion

Cybercriminals are evading security vendors through sophisticated delivery techniques, allowing them to hide their malware for several months. This points toward the fact that cybercriminals are putting in efforts to carry out malicious campaigns completely under the radar. This calls upon organizations to regularly audit and upgrade their security postures to stay protected.

Cyware Publisher

Publisher

Cyware