Pierluigi Paganini January 27, 2022

Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021.

Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021.

The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits>.html). Experts pointed out the malware employed has the lowest detection rates as presented through VirusTotal.

Upon opening the file, a webpage is displayed and it requests the recipients to save a downloaded ISO file. The experts noticed that the ISO is not downloaded from a remote web, instead, it is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file.

“When the victim decides to open the receipt, they see the following webpage that requests them to save a downloaded ISO file. They believe it’s a regular file download that will go through all the channels of gateway and network security scanners. Surprisingly, that’s not the case.” reads the report published by Morphisec. “In fact, the ISO download is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file, and it is not downloaded from a remote server.”

The ISO file is being delivered as a base64 string, upon opening it, the image is automatically mounted as a DVD Drive. The ISO image includes either a .BAT or a .VBS file,when the recipient opens one of them it will retrieve the next-stage component via a PowerShell command execution.

The PowerShell script that is executed allows to:

• Establish persistancy through Schedule Task
• Execute the dropped .vbs file, usually at %ProgramData% 
• Unpack an Base64 encoded and deflate compressed .NET module
• Inject the .NET module payload in-memory(dropper)

The .NET module acts as a dropper for three files:

• Net.vbs – obfuscated invocation of Net.bat
• Net.bat – invocation of Net.ps1
• Net.ps1 – next stage injection

designed to deliver the final payload that is the AsyncRAT malware and bypass antimalware software and set up Windows Defender exclusions.

“In most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET aspnet_compiler.exe process.” concludes the report that also includes IoCs.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]