![]() In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.ĭuring the whole campaign, JavaScript files have been delivered to targeted victims through malicious phishing webpages. The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. The registration of domains and subsequent AsyncRAT samples is still being observed at the time of writing this blog.įigure1: Number of samples observed by Alien Labs in this campaign. ![]() Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. The gif attachment led to a svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. In early September, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro. ![]() For that reason, it is one of the most commonly used RATs its characteristic elements include: Keylogging, exfiltration techniques, and/or initial access staging for final payload delivery. As with any remote access tool, it can be leveraged as a Remote Access Trojan (RAT), especially in this case where it is free to access and use. There is an OTX pulse with more information.ĪsyncRAT is an open-source remote access tool released in 2019 and is still available in Github.The ongoing registration of new and active domains indicates this campaign is still active.DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections. ![]() Some of the identified targets manage key infrastructure in the US.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |