December 11, 2023 at 04:13AM
The blog entry discusses the Analyzing AsyncRAT’s Code Injection into Aspnet_Compiler.exe Across Multiple Incident Response Cases, highlighting how the malware misuses legitimate processes for malicious activities and demonstrates evolving adversary tactics. It emphasizes the malware’s capabilities, infection chain, and strategies for evading detection. The entry also provides mitigation strategies and recommendations for organizations and includes the names of the authors: Buddy Tancio, Fe Cureg, and Maria Emreen Viray.Date: December 11, 2023.
From the meeting notes, it is clear that the MxDR team identified a concerning threat involving the use of AsyncRAT, a Remote Access Tool with various capabilities, including keylogging and remote desktop control. The malware infection chain across different cases was highlighted, underscoring the evolving tactics of malicious actors. There were detailed findings about the installation chain of the AsyncRAT, including the creation of autostarts, download and execution of payloads, and process injection to aspnet_compiler.exe for command-and-control connection via dynamic DNS.
The investigation traced the trigger for the infection to a file initially downloaded through Google Chrome, which was then extracted and contained a script file named downloadedFile_SSAfnmedd.wsf. The extraction of the ZIP file and the execution of the script led to the creation and execution of multiple PowerShell and VBScript files. The entire process was methodically explained with relevant insights.
The investigation further delved into the analysis of the scripts and the decoded AsyncRAT payload, showcasing the malware’s keylogging capabilities, its usage of dynamic host servers, and the ability to gather various client information. The meeting notes also provided detailed analysis of the recent trends in AsyncRAT infections, including tactics employed for evasion. Additionally, recommendations for mitigation and prevention strategies were discussed, emphasizing the significance of 24/7 monitoring, email security, and user education.
The meeting notes were comprehensive and provided a detailed insight into the threat landscape analyzed by the MxDR team. The takeaway is the thorough investigation conducted by the team, which highlighted the potential risks and the importance of proactive threat detection and prevention measures.