Exposing a hidden threat that threatens millions of users.
Over the past 11 months, a campaign has been actively conducted to distribute AsyncRAT malware aimed at selective targets. This campaign uses hundreds of unique uploaders and more than 100 domains.
AsyncRAT is an open source remote access tool for Windows that has been available since 2019. It includes functions for remote command execution, keylogging, data exfiltration, and loading additional payloads.
Cybercriminals actively use this tool, both in its original and modified form, to gain access to target systems, steal files and data, and distribute additional malware.
Microsoft security researcher Yigal Litzki discovered attacks conducted through captured emails last summer, but was unable to obtain the final payload.
In September, a team of AT&T's Alien Labs researchers noticed "a spike in phishing emails targeting specific individuals in certain companies" and began a study.
"Victims and their companies are carefully selected to increase the impact. Some of the designated targets manage key infrastructure in the U.S., AT&T Alien Labs said.
Attacks start with a malicious email with a GIF attachment that leads to an SVG file that loads obfuscated JavaScript and PowerShell scripts.
After passing sandbox checks, the loader communicates with the Command and Control Server (C2) and determines whether the victim is suitable for AsyncRAT infection.
Stage 3 scenario deploying AsyncRAT (AT&T)
The downloader uses hard-coded C2 domains hosted on BitLaunch, a service that allows you to pay anonymously in cryptocurrency, which is convenient for cybercriminals.
If the loader detects that it is in an analysis environment, it deploys false payloads, probably in an attempt to mislead security researchers and threat detection tools.
The sandbox protection system used by the boot loader includes a series of checks performed using PowerShell commands that get information about the system and calculate a score indicating whether it is running in the VM.
Researchers at AT&T Alien Labs determined that over the past 11 months, the attacker used 300 unique bootloader samples, each of which had small changes in code structure, obfuscation, variable names and values.
Another observation of the researchers is the use of the domain generation algorithm (DGA), which generates new C2 domains every Sunday.
According to AT&T Alien Labs, the domains used in the campaign have a specific structure: they are located in the top-level domain "top", consist of eight random alphanumeric characters, and are registered in Nicenic.net, use the South African country code and are hosted on DigitalOcean.
The AT&T team decoded the logic of the domain generation system and even predicted the domains that will be generated and assigned to malware during January 2024.
The researchers do not attribute the attacks to a specific adversary, but note that "attackers value discretion," as evidenced by efforts to obfuscate samples.
The Alien Labs team provided a set of compromise indicators along with signatures for Suricata's network analysis and threat detection software, which companies can use to detect intrusions related to this AsyncRAT campaign.
Over the past 11 months, a campaign has been actively conducted to distribute AsyncRAT malware aimed at selective targets. This campaign uses hundreds of unique uploaders and more than 100 domains.
AsyncRAT is an open source remote access tool for Windows that has been available since 2019. It includes functions for remote command execution, keylogging, data exfiltration, and loading additional payloads.
Cybercriminals actively use this tool, both in its original and modified form, to gain access to target systems, steal files and data, and distribute additional malware.
Microsoft security researcher Yigal Litzki discovered attacks conducted through captured emails last summer, but was unable to obtain the final payload.
In September, a team of AT&T's Alien Labs researchers noticed "a spike in phishing emails targeting specific individuals in certain companies" and began a study.
"Victims and their companies are carefully selected to increase the impact. Some of the designated targets manage key infrastructure in the U.S., AT&T Alien Labs said.
Attacks start with a malicious email with a GIF attachment that leads to an SVG file that loads obfuscated JavaScript and PowerShell scripts.
After passing sandbox checks, the loader communicates with the Command and Control Server (C2) and determines whether the victim is suitable for AsyncRAT infection.
Stage 3 scenario deploying AsyncRAT (AT&T)
The downloader uses hard-coded C2 domains hosted on BitLaunch, a service that allows you to pay anonymously in cryptocurrency, which is convenient for cybercriminals.
If the loader detects that it is in an analysis environment, it deploys false payloads, probably in an attempt to mislead security researchers and threat detection tools.
The sandbox protection system used by the boot loader includes a series of checks performed using PowerShell commands that get information about the system and calculate a score indicating whether it is running in the VM.
Researchers at AT&T Alien Labs determined that over the past 11 months, the attacker used 300 unique bootloader samples, each of which had small changes in code structure, obfuscation, variable names and values.
Another observation of the researchers is the use of the domain generation algorithm (DGA), which generates new C2 domains every Sunday.
According to AT&T Alien Labs, the domains used in the campaign have a specific structure: they are located in the top-level domain "top", consist of eight random alphanumeric characters, and are registered in Nicenic.net, use the South African country code and are hosted on DigitalOcean.
The AT&T team decoded the logic of the domain generation system and even predicted the domains that will be generated and assigned to malware during January 2024.
The researchers do not attribute the attacks to a specific adversary, but note that "attackers value discretion," as evidenced by efforts to obfuscate samples.
The Alien Labs team provided a set of compromise indicators along with signatures for Suricata's network analysis and threat detection software, which companies can use to detect intrusions related to this AsyncRAT campaign.
