Stealthy AsyncRAT Malware Attacks Targets US Infrastructure For 11 Months

Security researchers have uncovered a new campaign that has been delivering AsyncRAT malware to select targets for the last 11 months using hundreds of unique loader samples and more than 100 domains. The campaign was initially discovered by a security researcher from Microsoft, Igal Lytzki, who spotted attacks last summer that were delivered over hijacked email threads. However, Lytzki was unable to retrieve the final payload. Moving onto September, a team of researchers at AT&T's Alien Labs noticed "a spike in phishing emails, targeting specific individuals in certain companies.” Upon conducting a further investigation, they uncovered that these phishing emails were being used to distribute AysncRAT to targeted victims, some of which included entities responsible for key infrastructure in the U.S. For its part, AsyncRAT is an open-source remote access tool that comes with features enabling remote command execution, keylogging, data exfiltration, and dropping additional payloads. In the past couple of years, cybercriminals have abused this tool to establish a foothold in victim environments, steal files and data, and deploy additional malware.

Security Officer Comments:
The attacks start with an email carrying a GIF attachment that leads to an SVG file which in turn leads to the download of obfuscated JavaScript and PowerShell scripts as well as the final AsyncRAT client. According to AT&T's Alien Labs, the actor behind the latest campaign has used 300 unique loader samples in the last 11 months which contain alterations in the code structure, obfuscation, and variable names and values. To prevent execution within an analysis environment, the loader samples will conduct anti-sandboxing checks before contacting the C2 server and loading AsyncRAT. If detected, the loader will deploy decoy payloads to mislead security researchers and tools.

Another technique employed by the actors is that they are using a domain generation algorithm that will generate new C2 domains every Sunday, making it difficult to track and take down AsyncRAT infrastructure. Researchers say these domains follow a specific structure including the use of a “top” TLD and a naming convention that contains eight random alphanumeric characters. These domains are also registered in Nicenic[.]net, use South Africa for the country code, and are hosted on DigitalOcean.

Suggested Corrections:
The latest campaign has yet to be attributed to a known group. However, the team at AT&T was able to decode the domain generation system employed by the group and further predict the domains that will be generated and assigned to AsyncRAT throughout January of this year. IOCs have been included for this campaign which security professionals can use to detect and avoid potential intrusions. Please refer to the link below to access these IOCs: