As part of a malware campaign in September 2021, a new, advanced phishing attack has been identified that delivers the AsyncRAT trojan. “Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted connection,” as said by Michael Dereviashkin, a security researcher at enterprise breach prevention firm Morphisec.
The attacks start with an email containing an HTML attachment that looks like an order confirmation receipt. When the mail receiver opens the decoy file, they are directed to a web page asking them to save an ISO file. Unlike past RAT campaigns that direct victims to a phishing URL set up specifically for downloading the next-stage malware, the current RAT campaign smartly leverages JavaScript to construct the ISO file locally from a Base64-encoded text and imitate the download process.
Dereviashkin noted that the ISO download is created within the victim’s browser via JavaScript code inserted inside the HTML receipt file rather than from a remote server. When the victim accesses the ISO file, it is mounted as a DVD Drive on the Windows host. It contains either a .BAT or .VBS file that continues the infection chain by executing a PowerShell command to fetch a next-stage component. This causes a .NET module to be completed in memory, which then functions as a dropper for three files, each of which acts as a trigger for the next, to deliver AsyncRAT as the final payload, while also scanning for antivirus protection and setting up Windows Defender exclusions.
RATs like AsyncRAT are commonly used to establish a remote connection between a threat actor and a victim device, steal data, and perform surveillance via microphones and cameras. They come with a slew of powerful features that allow attackers to thoroughly monitor and manage the devices they’ve infiltrated. Morphisec further highlighted the campaign’s innovative methods, claiming that despite the operation lasting nearly five months, the malware was virtually undetected by major antimalware engines.
