HomeUpdateHTML attachments are now a new technique for hackers

HTML attachments are now a new technique for hackers


Last Updated on 27/01/2022 by Nidhi Khandelwal

As part of a malware campaign that began in September 2021, a new, sophisticated phishing assault has been identified that delivers the AsyncRAT trojan.

HTML attachments are now a new technique for hackers 1

The attacks start with an email message that contains an HTML attachment that looks like an order confirmation receipt (for example, Receipt-digits>.html). When the mail receiver opens the decoy file, they are directed to a web page that asks them to save an ISO file.

Unlike past RAT campaigns that direct victims to a phishing URL set up specifically for downloading the next-stage malware, the latest RAT campaign smartly leverages JavaScript to construct the ISO file locally from a Base64-encoded text and imitate the download process.

“A JavaScript code hidden inside the HTML receipt file generates the ISO download from within the victim’s browser, not from a distant server,” Dereviashkin added.

HTML attachments are now a new technique for hackers 2

When the victim accesses the ISO file, it is mounted as a DVD Drive on the Windows host and contains either a.BAT or a.VBS file that continues the infection chain by executing a PowerShell command to fetch a next-stage component.

This causes a.NET module to be executed in memory, which then functions as a dropper for three files, each of which acts as a trigger for the next, to deliver AsyncRAT as the final payload, while also scanning for antivirus protection and setting up Windows Defender exclusions.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

Hitachi Energy got hacked, and they aren’t disclosing enough details.

Hitachi Energy, a global technology and infrastructure company, has recently confirmed that it suffered a data breach due to cyberattacks from the Clop and...