Skip to content

AsyncRAT Loader spreads malware using JavaScript.

Title: Persistent Threat Actor Delivers AsyncRAT Through Phishing Campaign

Introduction:
Research conducted by AT&T Alien Labs has uncovered a long-standing campaign aimed at infecting unsuspecting victims with the Remote Access Trojan (RAT) known as AsyncRAT. For over 11 months, the threat actor has been employing an initial JavaScript file embedded in phishing pages to distribute the malware. With over 300 samples and 100 domains identified, this campaign demonstrates the threat actor’s persistence and determination.

What is AsyncRAT?
AsyncRAT is an open-source remote access tool that was released in 2019 and remains accessible on Github. Being freely available, it has become one of the most commonly used RATs due to its versatility. It can be utilized as a Remote Access Trojan, offering keylogging, exfiltration techniques, and initial access staging for delivering final payloads. The RAT has been featured in several campaigns, including its use by the APT Earth Berberoka as reported by TrendMicro.

Campaign Details:
AT&T Alien Labs noticed a surge in phishing emails targeting specific individuals in particular companies in early September 2023. These emails contained gif attachments that led to the download of a highly obfuscated JavaScript file, followed by PowerShell scripts and the execution of an AsyncRAT client. Users on social media platforms also reported similar patterns, further confirming the existence of this campaign.

Modus Operandi:
The loader used in this campaign follows a multi-stage process that is obfuscated by a Command and Control (C&C) server. The C&C server first checks if the victim system is a sandbox before deploying the main AsyncRAT payload. Throughout the campaign, JavaScript files have been delivered through malicious phishing web pages. These files are heavily obfuscated, making detection difficult. They contain long strings of randomly positioned words, such as ‘Melville’ and ‘church’, with certain patterns that allowed researchers to track the campaign back to February 2023.

Network Characteristics:
While the AsyncRAT code itself is constantly changing and obfuscated, the network infrastructure associated with it exhibits certain common characteristics. Most domain structures linked to AsyncRAT share similarities such as having a top-level domain (TLD) consisting of eight random alphanumeric characters, being registered under ‘Nicenic.net, Inc’ as the registrar, and having a country code for South Africa (ZA). These domains are typically created a few days before they are used, and researchers have also identified a Domain Generation Algorithm (DGA) that generates new domains automatically based on the current date.

Conclusion:
The ongoing campaign to deliver AsyncRAT demonstrates the determination of the threat actors involved. Their efforts to constantly modify and obfuscate the malware, as well as the use of multiple domain names, highlight their commitment to remaining undetected. However, AT&T Alien Labs’ research has allowed for the identification of various patterns and characteristics associated with the campaign. The registration of domains and continuous observation of AsyncRAT samples will aid in ongoing efforts to mitigate this threat.

Key Points:
– AT&T Alien Labs has discovered a persistent campaign delivering AsyncRAT through phishing emails.
– AsyncRAT is an open-source remote access tool that can be leveraged as a Remote Access Trojan.
– The campaign involves multi-stage obfuscated loaders delivered through JavaScript files on phishing web pages.
– The network infrastructure associated with AsyncRAT exhibits specific characteristics, such as domain structures and hosting providers.
– Ongoing research and analysis by AT&T Alien Labs will help in identifying and mitigating this threat.

Summary:
AT&T Alien Labs has uncovered a long-standing campaign employing phishing emails to distribute the AsyncRAT malware. AsyncRAT is an open-source remote access tool that has been widely used due to its versatility. The campaign involves obfuscated loaders delivered through JavaScript files on phishing web pages. The network infrastructure associated with AsyncRAT exhibits distinct characteristics that allow for identification and tracking. AT&T Alien Labs continues to monitor the campaign and develop strategies to mitigate this persistent threat.

Leave a Reply

Your email address will not be published. Required fields are marked *