For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page.
After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
The gif attachment led to an svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client.
Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023.
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn't rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
During the whole campaign, JavaScript files have been delivered to targeted victims through malicious phishing web pages.
On top of modifying the C&C and URL every so often, the threat actor tries to generate a completely new version of the loader for each victim.
After a GET request, the C&C sends a script over HTTP. This script contains base64 code, and the necessary functions to decode it.
The AsyncRAT code is constantly changing, heavily obfuscated and randomized, making it hard to detect.
When researching domains with similar uncommon characteristics, a new set of domains appears.
These samples had a script to calculate the domain based on the current date.
This allows the samples to automatically change the C&C domain with time and evade being blocked if the code is not properly reviewed.
The Domain Generation Algorithm generates a seed using the day of the year and modifies it.
Part of these modifications ensure that a new domain is populated every seven days, with a new domain purposely generated every Sunday.
This seed is used to pick 15 letters from 'a' to 'n' to generate the domain.
The other variables in the seed - or the characters used to create the domain - change in some of the scripts to generate a different pattern of domains.
The domains from the first group that were hardcoded within the samples our team observed were all hosted on BitLaunch, while the DGA domains were hosted on DigitalOcean.
The cheapest option is to host with BitLaunch, but the alternative allows users to pay in crypto and get hosted in a more reliable ASN. Going back to the DGA domains that were hosted in DigitalOcean, when looking at the scanning activity generated by OTX on the DGA domains, it shows a default webpage with the message 'Welcome to the BitLaunch LEMP app.
' This might be an indication that these domains are hosted in DigitalOcean but paid for through BitLaunch.
The registration of domains and subsequent AsyncRAT samples are still being observed at the time of writing this article.
This Cyber News was published on www.cybersecurity-insiders.com. Publication date: Mon, 05 Feb 2024 18:13:05 +0000