Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021.
The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits>.html). Experts pointed out the malware employed has the lowest detection rates as presented through VirusTotal.
The ISO file is being delivered as a base64 string, upon opening it, the image is automatically mounted as a DVD Drive. The ISO image includes either a .BAT or a .VBS file,when the recipient opens one of them it will retrieve the next-stage component via a PowerShell command execution.
The PowerShell script that is executed allows to:
The .NET module acts as a dropper for three files:
designed to deliver the final payload that is the AsyncRAT malware and bypass antimalware software and set up Windows Defender exclusions.
“In most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET aspnet_compiler.exe process.” concludes the report that also includes IoCs.
(SecurityAffairs – hacking, phishing)