Unraveling AsyncRAT: A Deep Dive into Phishing Email Threats
On August 29, 2024, eSentire’s Threat Response Unit (TRU) released a bulletin detailing a recent investigation into an AsyncRAT infection delivered through phishing emails.
Introduction
On August 29, 2024, eSentire's Threat Response Unit (TRU) released a bulletin detailing a recent investigation into an AsyncRAT infection delivered through phishing emails. The investigation revealed a sophisticated malware campaign leveraging Windows Script Files (.wsf) to distribute a remote access trojan (RAT) and an infostealer plugin, highlighting the persistent threat of email-based attacks.
Report Overview
The discovery of this malware campaign began in August 2024 when eSentire's TRU identified an infection stemming from the execution of a .wsf file. Although the original phishing email could not be retrieved, the TRU team assessed with high confidence that it contained a malicious archive as an attachment. The infection vector highlighted the ongoing risk posed by phishing emails as a method for delivering malware.
The initial payload was a .wsf file, named with a "SummaryForm_" prefix (MD5: 154cc0f462c85b494a45b7531f3a9f03). This file contained HTML character entities that triggered the download of a VBScript disguised as a text file from a remote server. Once downloaded, the script executed a series of actions to maintain persistence and facilitate further payloads.
- The VBScript utilized the Start-BitsTransfer command to download a file masquerading as an image, which was then saved as a ZIP file in the system'ssystem's Public directory. This ZIP file was extracted, and the VBScript was executed, initiating a chain of malicious scripts and batch files.
- The malware established persistence by creating a scheduled task named "MicrosoftEdgeUpdate500," which executed another VBScript every two minutes. This script, in turn, executed additional batch files and PowerShell scripts designed to deploy the AsyncRAT payload.
- The AsyncRAT payload was injected into the RegAsm.exe process using a DLL file (MD5: dcce5bc3e27295a1cbe13a411244fe93). The malware utilized obfuscated strings to bypass detection, ensuring the RAT could operate undetected.
- The RAT was equipped with an info stealer plugin that targeted browsers such as Chrome, Firefox, and Brave, as well as cryptocurrency wallet extensions like MetaMask and Binance. This plugin exfiltrated sensitive data, potentially compromising user credentials and financial information.
The infection's impact could be severe, especially for individuals and organizations with cryptocurrency assets or sensitive browser-stored data. By compromising multiple browsers and wallet extensions, the attackers could gain unauthorized access to financial accounts, leading to potential financial loss and data breaches. Process injection and obfuscation techniques also make detection and remediation more challenging, increasing the risk of prolonged exposure to the threat.
Insights and Analysis
This investigation into AsyncRAT and its infostealer plugin demonstrates the enduring danger of phishing emails and the sophisticated methods attackers use to compromise systems. Maintaining vigilance and adopting the recommended security measures are essential to protect against such threats. The TRU team emphasized the continuing threat of phishing emails as a vector for delivering sophisticated malware. Their analysis demonstrated attackers' evolving tactics to bypass security measures and achieve persistence within targeted systems.
- Ensure all devices are protected with Endpoint Detection and Response (EDR) solutions to detect and respond to malicious activities.
- Implement Phishing and Security Awareness Training (PSAT) programs to educate employees on recognizing and avoiding phishing emails.
- Modify the default ''open-with'' settings for script files to open with a basic text editor, reducing the risk of accidental execution.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 154cc0f462c85b494a45b7531f3a9f03 | File Hash (MD5) | Hash of the malicious .wsf file named with a “SummaryForm_” prefix. |
| a332817fd302e05b131c7a7a0cdb1a04 | File Hash (MD5) | Hash of the VBScript file fetched by the .wsf file. |
| c86280bd532eec707f106542a4458400 | File Hash (MD5) | Hash of the image file masquerading as a ZIP file. |
| 1eefdb23f7c63922756eafb532127b8e | File Hash (MD5) | Hash of the VBS script executed by the malware. |
| ac0f2aa2c5caf791f0310c2c07a1e1c3 | File Hash (MD5) | Hash of the batch file executed by the VBS script. |
| ec348cf15e839b8912862352bc916d22 | File Hash (MD5) | Hash of the batch file executed by the second VBS script. |
| dcce5bc3e27295a1cbe13a411244fe93 | File Hash (MD5) | Hash of the “NewPE2.dll” file used for process hollowing in RegAsm.exe. |
| 315bc30cd580b750b4afc294fa38a8bc | File Hash (MD5) | Hash of the PowerShell script creating a scheduled task for persistence. |
| hxxp://104.243.37[.]35:222/bfbupdeuiterborm/uzopuzbkrpcziwca.txt | URL | URL from which the VBScript is downloaded. |
| hxxp://104.243.37[.]35:222/bfbupdeuiterborm/lAOdPuUqwXLVFvqT.jpg | URL | URL from which the ZIP file masquerading as an image is downloaded. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Scripting | T1059.001 | Using a script (e.g., VBScript) to execute malware on the system. |
| Persistence | Scheduled Task/Job | T1053.005 | Creating a scheduled task to run malicious scripts for persistence. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Obfuscating strings and script contents to avoid detection. |
| Privilege Escalation | Process Injection | T1055.012 | Injecting malicious code into a legitimate process (RegAsm.exe) to evade defenses. |
| Collection | Input Capture | T1056 | Capturing input data (e.g., credentials) using an infostealer plugin. |
References
eSentire Threat Response Unit (TRU)
Comments ()