January 7, 2024 at 03:37PM
An ongoing campaign has been distributing the AsyncRAT malware for the past 11 months, utilizing various loader samples and domains. AsyncRAT, a Windows remote access tool, facilitates unauthorized access, data theft, and malware deployment. The attacks target specific individuals and companies, employing sophisticated techniques to avoid detection. Researchers provide detection indicators for potential intrusion.
Based on the meeting notes, the key takeaways are:
1. The campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, utilizing hundreds of unique loader samples and more than 100 domains.
2. AsyncRAT is an open-source remote access tool for Windows, publicly available since 2019, and has been heavily used by cybercriminals for various malicious activities.
3. Microsoft security researcher Igal Lytzki and AT&T’s Alien Labs team have been actively tracking the attacks and have identified specific characteristics of the campaign.
4. The attacks begin with a malicious email carrying a GIF attachment that leads to an SVG file, which then downloads obfuscated JavaScript and PowerShell scripts.
5. The loader communicates with a command and control (C2) server and employs anti-sandboxing checks to determine if the victim is eligible for the AsyncRAT infection.
6. BitLaunch, a service allowing anonymous payments in cryptocurrency, hosts the hardcoded C2 domains utilized by the loader.
7. The loader employs a series of verifications using PowerShell commands and has used 300 unique samples in the past 11 months, each with minor alterations to increase obfuscation and evade detection.
8. The threat actors use a domain generation algorithm (DGA) to generate new C2 domains every Sunday, with specific characteristics, and AT&T was able to decode the logic behind the domain generation system.
9. The attacks are attributed to threat actors who value discretion and have put effort into obfuscating the samples.
10. AT&T’s Alien Labs has provided indicators of compromise and signatures for threat detection software, such as Suricata, to help companies detect intrusions associated with this AsyncRAT campaign.
These takeaways provide a comprehensive understanding of the ongoing threat and the identified patterns and behaviors associated with the campaign.