A highly sophisticated and persistent campaign involving the delivery of the AsyncRAT malware has been underway for the past 11 months, utilizing an extensive array of over 100 domains and hundreds of unique loader samples. AsyncRAT, a publicly available remote access tool (RAT) for Windows, facilitates various malicious activities including remote command execution, keylogging, data exfiltration, and deploying additional payloads. The perpetrators behind this campaign strategically target specific individuals and companies, particularly those managing critical infrastructure in the United States. The attacks commence with malicious emails carrying GIF attachments leading to SVG files, initiating the download of obfuscated JavaScript and PowerShell scripts.
The loader, after passing anti-sandboxing checks, communicates with a command and control (C2) server to determine the eligibility of the victim for AsyncRAT infection. Notably, the hardcoded C2 domains are hosted on BitLaunch, allowing anonymous payments in cryptocurrency, a preferred choice for cybercriminals seeking to remain covert. In the event the loader detects an analysis environment, it deploys decoy payloads to mislead security researchers and threat detection tools. The loader’s anti-sandboxing system involves PowerShell commands to retrieve system information and calculate a score indicating whether it operates in a virtual machine, adding an additional layer of complexity to detection efforts.
AT&T Alien Labs, which investigated the campaign after observing a spike in phishing emails targeting specific individuals, identified 300 unique samples of the loader used in the past 11 months. The loader exhibits variations in code structure, obfuscation, and variable names and values. Additionally, the threat actors employ a domain generation algorithm (DGA) that generates new C2 domains every Sunday, with specific characteristics such as a “top” TLD, eight random alphanumeric characters, registration in Nicenic.net, a South African country code, and hosting on DigitalOcean. While the researchers did not attribute the attacks to a specific adversary, they emphasized the threat actors’ commitment to discretion, evident in the meticulous effort to obfuscate the malware samples. AT&T Alien Labs has provided indicators of compromise and signatures for threat detection software to aid in identifying intrusions associated with this complex AsyncRAT campaign.
