Trend Micro experts analyzed the attackers tactics in detail and reported on how to avoid the attack.
Cybersecurity researchers at Trend Micro analyzed several incidents related to the introduction of the AsyncRAT malware. Attackers exploited a legitimate process vulnerability "aspnet_compiler.exe" from Microsoft, designed to pre-compile web applications on the platform ASP.NET. This allowed hackers to download malicious code without being noticed.
AsyncRAT has various remote access capabilities, such as keylogging, desktop management, and hidden file modification. This makes it a powerful tool for conducting a wide variety of attacks. In particular, at the beginning of 2023, Trend Micro experts discovered cases of using AsyncRAT together with ransomware.
In all the analyzed incidents, the first stage of the attack was downloading a password-protected ZIP archive by the user. After unpacking the archive, the victim ran a malicious WSF script, which, in turn, downloaded another ZIP archive with additional AsyncRAT scripts.
These scripts ended up injecting the AsyncRAT payload into the process "aspnet_compiler.exe" this allowed the malware to act covertly, collecting information such as user names and passwords, computer data, the presence of antivirus programs and cryptographic wallets.
After examining the source code of AsyncRAT, experts found similarities with the open repository on GitHub. However, the malicious sample contained additional features, from which it can be concluded that attackers fine-tune the open source code to suit their goals.
According to experts, the use of dynamic DNS servers allowed attackers to quickly change the IP addresses and domain names of AsyncRAT management servers. This makes it difficult for security systems to detect and block them.
Trend Micro experts recommend that organizations implement solutions for continuous monitoring and rapid response to cybersecurity incidents in order to secure their networks and devices.
In addition, it is not superfluous to disable the use of PowerShell/WSF/JS macros and scripts on employees computers, if they are not supposed to use them as part of standard workflows. And in general, it is worth regularly directing time and resources to improve the cyber hygiene of employees. This will help you save much more in the future.
Cybersecurity researchers at Trend Micro analyzed several incidents related to the introduction of the AsyncRAT malware. Attackers exploited a legitimate process vulnerability "aspnet_compiler.exe" from Microsoft, designed to pre-compile web applications on the platform ASP.NET. This allowed hackers to download malicious code without being noticed.
AsyncRAT has various remote access capabilities, such as keylogging, desktop management, and hidden file modification. This makes it a powerful tool for conducting a wide variety of attacks. In particular, at the beginning of 2023, Trend Micro experts discovered cases of using AsyncRAT together with ransomware.
In all the analyzed incidents, the first stage of the attack was downloading a password-protected ZIP archive by the user. After unpacking the archive, the victim ran a malicious WSF script, which, in turn, downloaded another ZIP archive with additional AsyncRAT scripts.
These scripts ended up injecting the AsyncRAT payload into the process "aspnet_compiler.exe" this allowed the malware to act covertly, collecting information such as user names and passwords, computer data, the presence of antivirus programs and cryptographic wallets.
After examining the source code of AsyncRAT, experts found similarities with the open repository on GitHub. However, the malicious sample contained additional features, from which it can be concluded that attackers fine-tune the open source code to suit their goals.
According to experts, the use of dynamic DNS servers allowed attackers to quickly change the IP addresses and domain names of AsyncRAT management servers. This makes it difficult for security systems to detect and block them.
Trend Micro experts recommend that organizations implement solutions for continuous monitoring and rapid response to cybersecurity incidents in order to secure their networks and devices.
In addition, it is not superfluous to disable the use of PowerShell/WSF/JS macros and scripts on employees computers, if they are not supposed to use them as part of standard workflows. And in general, it is worth regularly directing time and resources to improve the cyber hygiene of employees. This will help you save much more in the future.
