AsyncRAT Operators Adopt New Evasive Delivery Technique

What’s the new campaign about?

• According to Morphisec researchers, the ongoing campaign has been active for around five months with the earliest incident traced back to September 12, 2021. 
• In most cases, the victims receive an email message with an HTML attachment in the form of a receipt. If opened, the recipient sees a web page requesting them to save a downloaded ISO file. 
• The ISO is not downloaded from a remote server but created within the victim’s browser by using the JS code embedded in the HTML receipt file.

A three-staged operation

• In the first stage, once the user opens the generated ISO, it is automatically mounted as a DVD Drive that includes a .bat or .vbs file. These files download/execute PowerShell process execution.
• In the second stage, the PowerShell is executed, which is responsible for multiple tasks such as establishing persistence, executing a dropped .vbs file, and injecting the DotNET module payload in-memory.
• In the third stage, the injected DotNET module fills the role of a dropper. The dropper creates three files, Net[.]vbs, Net[.]bat, and Net[.]ps1.
• At last, AsyncRAT is delivered as the final payload that hides inside a genuine DotNet process (aspnet_compiler[.]exe).

Conclusion