A new highly evasive technique used to deliver the AsyncRAT Malware

Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021.

Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021.

The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits>.html). Experts pointed out the malware employed has the lowest detection rates as presented through VirusTotal.

Upon opening the file, a webpage is displayed and it requests the recipients to save a downloaded ISO file. The experts noticed that the ISO is not downloaded from a remote web, instead, it is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file.

“When the victim decides to open the receipt, they see the following webpage that requests them to save a downloaded ISO file. They believe it’s a regular file download that will go through all the channels of gateway and network security scanners. Surprisingly, that’s not the case.” reads the report published by Morphisec. “In fact, the ISO download is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file, and it is not downloaded from a remote server.”

The ISO file is being delivered as a base64 string, upon opening it, the image is automatically mounted as a DVD Drive. The ISO image includes either a .BAT or a .VBS file,when the recipient opens one of them it will retrieve the next-stage component via a PowerShell command execution.

The PowerShell script that is executed allows to:

Establish persistancy through Schedule Task
Execute the dropped .vbs file, usually at %ProgramData%
Unpack an Base64 encoded and deflate compressed .NET module
Inject the .NET module payload in-memory(dropper)

The .NET module acts as a dropper for three files:

Net.vbs – obfuscated invocation of Net.bat
Net.bat – invocation of Net.ps1
Net.ps1 – next stage injection

designed to deliver the final payload that is the AsyncRAT malware and bypass antimalware software and set up Windows Defender exclusions.

“In most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET aspnet_compiler.exe process.” concludes the report that also includes IoCs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.