AsyncRAT malware uses sophisticated strategies to evade detection

February 21, 2022
AsyncRAT Malware Evade Detection Email Spam Dropper Malicious Emails

Researchers have recently discovered that the AsyncRAT malware operators have employed a new malware campaign delivery technique to evade multiple security solutions. The AsyncRAT is remotely monitored and controlled by the threat actors in the targeted systems.

Since last year, the current campaign has been operating, with the latest incident identified back to the early weeks of last September.

In most known AsyncRAT attacks, the victims receive an email message attached with an HTML that portrays a receipt. If the victim accesses the message with an HTML attachment, they will see a web page instructing them to save a downloadable ISO file.

However, the ISO file is not actually downloaded from a remote server; instead, it is developed within the victim’s search engine by utilising the JavaScript code added in the attached HTML receipt file.

 

The AsyncRAT malware campaign has one of the most potent and undetected malware today. Based on an analysis, the JavaScript code of the AsyncRAT creates files in three stages.

 

Once the target accesses the created ISO in the first phase of the malware attack, it is immediately inputted as a DVD Drive that contains a [.]vbs or [.]bat file. The downloaded files then also download a PowerShell process execution.

For the second phase, the downloaded and executed PowerShell will be responsible for several tasks such as performing a deployed [.]vbs file, injecting the [.]NET module payload in-memory, and establishing persistence in the compromised system.

The last stage of the three-stage attack of AsyncRAT will be the injection of the [.]NET module that fills the task of being a malware dropper. The dropper develops three files, namely, Net[.]ps1, Net[.]vbs, and Net[.]bat.

Lastly, the execution process will deliver the Async remote access trojan as the final payload that obfuscates itself inside a legitimate [.]NET process.

Malicious threat actors can now avoid security solutions via sophisticated delivery techniques to obfuscate their malware for prolonged periods. It is now known that threat actors pay more attention to orchestrating malicious campaigns to avoid getting caught by security vendors.

About the author