G DATA Security Lab has discovered a sophisticated malware operation that used Bitbucket, a popular code hosting platform, to propagate AsyncRAT, a well-known remote access trojan.
According to the study, the attackers employed a multi-stage assault strategy, exploiting Bitbucket to host and disseminate malware payloads while circumventing detection.
The malware operators employed multiple layers of Base64 encoding to obfuscate the code and hide the true nature of the assault. “After peeling back those layers we were able to uncover the full story and key indicators of compromise (IOCs) we found while analyzing the AsyncRAT payload delivery,” the report explains.
Bitbucket's trustworthy reputation as a software development platform has made it a popular target for attackers. The perpetrators employed Bitbucket repositories to host a variety of malicious payloads, including the AsyncRAT.
"Attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads," the researchers wrote, emphasising that this strategy gives "legitimacy" and "accessibility" for propagating the malware.
Modus operandi
The attack starts with a phishing email that includes a malicious VBScript file called "01 DEMANDA LABORAL.vbs," which runs a PowerShell command. This initial stage obfuscates and delivers the payload via many levels of string manipulation and Base64 encoding. "The VBScript constructs and executes a PowerShell command, effectively transitioning the attack to the next stage," according to the report.
The second stage involves the PowerShell script downloading a file from a Bitbucket repository. This file, named "dllhope.txt," contains a Base64-encoded payload that is decrypted into a.NET built file, disclosing the true nature of the AsyncRAT malware.
When successfully deployed, AsyncRAT gives attackers complete remote control over the infected system. "AsyncRAT provides attackers with extensive control over infected machines, enabling them to perform a wide range of malicious activities," according to G DATA's investigation. These actions include remote desktop control, file management, keylogging, access to webcams and microphones, and unauthorised command execution.
The report also illustrates how attackers exploit anti-virtualization measures to evade detection in sandbox environments. "If the flag parameter contains '4,' the code checks for the presence of virtualisation tools like VMware or VirtualBox, likely to avoid analysis," indicated G DATA. Persistence is achieved through a variety of tactics, including Windows registry alterations and the establishment of startup shortcuts, which ensure the malware remains active even after the system reboots.