Saturday, June 22, 2024

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being disseminated via WSF script format. The WSF file was found to be disseminated in a compressed file (.zip) format through URLs included in emails.

AsyncRAT spreads through a variety of strategies and tactics. Malspam and phishing efforts, which mimic legitimate messages like DHL shipment updates with malicious file attachments, are the most prevalent infection vectors.

Threat actors are still creating and using cutting-edge and unique ways to spread AsyncRAT, such as “fileless” injection, which loads the main AsyncRAT binary into memory and runs it without requiring the target system to have a file installed.

How is the AsyncRAT Disseminated via WSF Script?

The AhnLab Security Emergency Response Center (ASEC) reports that the downloaded zip file is decompressed to produce a file with the .wsf file extension. 

This file just has one <script> tag in the middle and is primarily made up of comments, as seen in the image below.

https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2023/11/image-81.png?resize=702%2C360&ssl=1
The download link in the WSF script

Upon executing this script, a Visual Basic script is downloaded and executed. From the same C2 address, this script downloads a.jpg file, which is a zip file masquerading as a jpg file.

https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2023/11/image-97.png?resize=1024%2C361&ssl=1
The attack flow

It then converts this jpg file’s extension to.zip before decompressing it. An XML file containing the command string to launch the Error.vbs file included in the compressed file is produced and executed using PowerShell

Before loading and running the binary, the last file to be executed, pwng.ps1, converts the contained strings into a.NET binary.

https://i0.wp.com/asec.ahnlab.com/wp-content/uploads/2023/11/image-98.png?resize=1024%2C511&ssl=1
PowerShell script launching a fileless attack

Three obfuscated variables are used in these phases such as:

  • $jsewy: Malware that performs the features of AsyncRAT 
  • $jsewty: Malware that performs the injection feature
  • $KRDESEY: The process the malware is injected into

“The malware executed in the end is identified as AsyncRAT which has information exfiltration and backdoor features”, researchers said.

Recommendation

The threat actor uses complex fileless techniques without the need for EXE files to spread the same malware in different ways.

When opening files or external links from emails, users should always exercise caution. Users are advised to utilize security product monitoring tools to recognize and block access from threat actors.

Website

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from Promokit.eu for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles