Photo by Ricardo Ortiz from Pexels

A malware campaign, since September 2021, has been using an advanced phishing attack to deliver the AsyncRAT trojan. 

“Through a simple email phishing tactic with an HTML attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted connection,” Michael Dereviashkin, a security researcher at enterprise breach prevention firm Morphisec, said in a report.

The attacks start with an email message having an HTML attachment, and the attachment is concealed as an order confirmation receipt. Running the attached file redirects the user to a web page prompting the user to save an ISO file.

Also read,

The present RAT campaign uses JavaScript to locally make the ISO file from a Base64-encoded string and imitate the download process. Other attacks direct the user to a phishing domain created especially for downloading the next-stage malware.

The ISO download is not generated from a remote server but from within the victim’s browser by a JavaScript code that’s embedded inside the HTML receipt file,” Dereviashkin explained.

Once the user executes the ISO file, by default, it’s planted as a DVD drive on the Windows host and includes either a .BAT or a .VBS file, which moves to the next stage of the infection process. The next stage is obtaining a constituent through a PowerShell command execution. 

This results in the execution of a .NET module in-memory that acts as a dropper for three files — one acting as a trigger for the next — to finally deliver AsyncRAT as the payload. It also checks for antivirus software and settings of Windows Defender exclusions.

As a result, .net module in-memory is executed that acts as a dropper for three files—each acting as a trigger for the next—to plant AsyncRAT as the final payload while also verifying antivirus software and setting up Windows Defender exclusions. 

RATs such as AsyncRAT are typically used to forge a remote link between a threat actor and a victim device, steal information, and conduct surveillance through microphones and cameras. They provide an array of advanced capabilities that give the attackers the ability to fully monitor and control the compromised machines.

Morphisec also pointed out the campaign’s advanced tactics, which it said allowed the malware to slip through virtually undetected by most antimalware engines despite the operation being in effect for close to five months.