AsyncRAT is an open-source remote access Trojan malware known for its ability to provide unauthorized access and control over infected systems.
Hackers use it actively for various malicious purposes, including:-.
Cybersecurity researchers at AT&T recently discovered that AsyncRAT malware has been actively attacking the US infrastructure for 11 months.
APT Earth Berberoka has used this RAT, and recently, AT&T Alien Labs noted a phishing spike in September targeting individuals with gif attachments leading to:-.
The loader's stages are obfuscated by the C&C server that checks the victim for sandbox before deploying the AsyncRAT payload. C&C redirects to a harmless page when parameters are not met.
JavaScript files delivered via phishing with obfuscated strings like:-.
The loader versions vary for each victim with randomized variable names, constants, and URL representation.
After the GET request, C&C sends base64 script XOR'ed against a hardcoded key, unpacked with Gunzip, and executed flawlessly in PowerShell.
The C&C values like 1b are correct, while 2c and other wrong answers have higher values.
C&C may have a table of valid responses or a value range that helps in avoiding brute force.
Invalid answer redirects to Google or returns a new script reaching out to payload in temp[.
Sh link is consistent across samples and time, which helps in hosting the files for three days with new randomized URL paths.
The code dynamically changes and is heavily obfuscated for detection evasion, but network infrastructure remains consistent.
The samples use a variety of domains that are frequently updated, and among them, the common domains include:-.
Here below, we have mentioned all the characteristics that are followed by the domain structure:-.
The Domain Generation Algorithm calculates a unique domain every seven days and on every Sunday, it generates a new one.
The seed, which is derived from the day of the year, undergoes modifications for variation that includes changes to other variables and characters in the scripts.
This strategy helps threat actors avoid detection and blocking by automatically changing the C&C domain over time.
This Cyber News was published on gbhackers.com. Publication date: Mon, 08 Jan 2024 14:43:05 +0000