A campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, using hundreds of unique loader samples and more than 100 domains.
AsyncRAT is an open-source remote access tool for Windows, publicly available since 2019, with functions for remote command execution, keylogging, data exfiltration, and dropping additional payloads.
The tool has been heavily used by cybercriminals over the years, either as is or in modified form, for establishing a foothold on the target, stealing files and data, and deploying additional malware.
The attacks begin with a malicious email carrying a GIF attachment that leads to an SVG file that downloads an obfuscated JavaScript and PowerShell scripts.
After passing some anti-sandboxing checks, the loader communicates with the command and control server and determines if the victim is eligible for the AsyncRAT infection.
The hardcoded C2 domains are hosted on BitLaunch, a service that allows anonymous payments in cryptocurrency, a useful option for cybercriminals.
If the loader determines that it runs in an analysis environment, it deploys decoy payloads, likely in an attempt to mislead security researchers and threat detection tools.
The anti-sandboxing system employed by the loader involves a series of verifications performed via PowerShell commands that retrieve system information details and calculate a score that indicates if it runs in a virtual machine.
AT&T Alien Labs determined that the threat actor used 300 unique samples of the loader in the past 11 months, each with minor alterations in the code structure, obfuscation, and variable names and values.
Another observation from the researchers is the use of a domain generation algorithm that generates new C2 domains every Sunday.
AT&T was able to decode the logic behind the domain generation system, and even predicted the domains that will be generated and assigned to the malware throughout January 2024.
The Alien Labs team provide a set of indicators of compromise along with signatures for the Suricata network analysis and threat detection software that companies can use to detect intrusions associated with this AsyncRAT campaign.
Crypto wallet founder loses $125,000 to fake airdrop website.
FTC offers $25,000 prize for detecting AI-enabled voice cloning.
Russian military hackers target Ukraine with new MASEPIE malware.
Crypto drainer steals $59 million from 63k people in Twitter ad push.
New phishing attack steals your Instagram backup codes to bypass 2FA..
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 07 Jan 2024 20:40:14 +0000