U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new highly evasive technique used to deliver the AsyncRAT Malware

Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021. Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021. The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits>.html). Experts pointed out the malware employed has the lowest […]

AsyncRAT phishing campaign

Experts spotted a sophisticated malware campaign delivering the AsyncRAT trojan since September 2021.

Researchers from Morphisec spotted a sophisticated phishing campaign delivering the AsyncRAT trojan since September 2021.

The phishing messages use an html attachment disguised in the form of an order confirmation receipt (e.g., Receipt-<digits>.html). Experts pointed out the malware employed has the lowest detection rates as presented through VirusTotal.

AsyncRAT phishing campaign

Upon opening the file, a webpage is displayed and it requests the recipients to save a downloaded ISO file. The experts noticed that the ISO is not downloaded from a remote web, instead, it is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file.

“When the victim decides to open the receipt, they see the following webpage that requests them to save a downloaded ISO file. They believe it’s a regular file download that will go through all the channels of gateway and network security scanners. Surprisingly, that’s not the case.” reads the report published by Morphisec. “In fact, the ISO download is generated within the victim’s browser by the JavaScript code that is embedded inside the HTML receipt file, and it is not downloaded from a remote server.”

The ISO file is being delivered as a base64 string, upon opening it, the image is automatically mounted as a DVD Drive. The ISO image includes either a .BAT or a .VBS file,when the recipient opens one of them it will retrieve the next-stage component via a PowerShell command execution.

The PowerShell script that is executed allows to:

  • Establish persistancy through Schedule Task
  • Execute the dropped .vbs file, usually at %ProgramData% 
  • Unpack an Base64 encoded and deflate compressed .NET module
  • Inject the .NET module payload in-memory(dropper)

The .NET module acts as a dropper for three files:

  • Net.vbs – obfuscated invocation of Net.bat
  • Net.bat – invocation of Net.ps1
  • Net.ps1 – next stage injection

designed to deliver the final payload that is the AsyncRAT malware and bypass antimalware software and set up Windows Defender exclusions.

“In most cases, attackers have delivered AsyncRAT as the final payload that was hiding within the legitimate .NET aspnet_compiler.exe process.” concludes the report that also includes IoCs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]