Last Updated on 27/01/2022 by Nidhi Khandelwal
As part of a malware campaign that began in September 2021, a new, sophisticated phishing assault has been identified that delivers the AsyncRAT trojan.
The attacks start with an email message that contains an HTML attachment that looks like an order confirmation receipt (for example, Receipt-digits>.html). When the mail receiver opens the decoy file, they are directed to a web page that asks them to save an ISO file.
When the victim accesses the ISO file, it is mounted as a DVD Drive on the Windows host and contains either a.BAT or a.VBS file that continues the infection chain by executing a PowerShell command to fetch a next-stage component.
This causes a.NET module to be executed in memory, which then functions as a dropper for three files, each of which acts as a trigger for the next, to deliver AsyncRAT as the final payload, while also scanning for antivirus protection and setting up Windows Defender exclusions.