Malware distributors are using social engineering tactics to spread AsyncRAT, as malicious actors have been disguising the malware as common file types, such as questionnaires (.chm, .wsf, and .lnk), to trick users into opening them.
More recently, they’ve been employing ebooks as a disguise to further their obfuscation efforts, by leveraging the user’s trust in legitimate file formats to bypass suspicion and gain access to the system.
The attacker utilizes a compressed file disguised as an ebook to deliver a multi-stage payload, which contains a malicious LNK file disguised as a compressed file icon, a PowerShell script hidden within a text file (RM.TXT), and additional compressed files disguised as video files.
The LNK file executes the PowerShell script found in RM.TXT, which hides the folder containing the downloader malware and then obfuscates itself before scanning for security software. Depending on the security software presence, the script executes the downloader malware hidden within the disguised video files.
The malware decompresses a file (4.mkv) and registers a malicious script (NTUSER.BAT{428f9636-1254-e23e3-ada2-03427pie23}.TM.VBS) as a “BitTorrent Certificate” task in Task Scheduler.
It gathers system information and executes a batch file (NTUSER.BAT{428f9636-1254-ee23-ada2-080027dede23}.TM.bat) that launches a PowerShell script.
The PowerShell script then decrypts and loads obfuscated PE files (NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf and NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf) to deploy AsyncRAT.
The malware employs three methods for delivering the AsyncRAT payload, by decompressing a specific archive (5.mkv) and creating a task schedule to run a VBS script hidden within the archive under the name “BitTorrent.”.
This VBS script leverages a batch file to execute an AutoHotKey script, ultimately downloading AsyncRAT from a predetermined URL for execution.
It also utilizes a similar approach but with a different archive (8.mkv) and a PowerShell script disguised under the name “USER ID Converter” within the compressed file, while the obfuscated PowerShell script directly executes AsyncRAT in the same directory.
According to AhnLab Security Intelligence Center, AsyncRAT is malware with features to evade detection, persist on the system, steal user information, be instructed remotely to perform malicious actions, and be disguised as various file types, including executable files, text files, and shortcuts.
Recent detections include trojanized versions of video subtitle files, text files, religious ebooks, and compressed archives, including indicators of compromise to identify this malware: specific MD5 hashes, a C&C server domain name, and a malicious download URL.
.webp?w=1200&resize=1200,0&ssl=1&description=Malware distributors are using social engineering tactics to spread AsyncRAT, as malicious actors have been disguising the malware.){kind=link}