11 Months of AsyncRAT: Targeted with Precision and Evasion in Mind

An ongoing cybersecurity threat campaign focused on delivering the AsyncRAT (Remote Access Trojan) is reported by AT&T Alien Lab security researcher, Fernando Martinez. This campaign, spanning at least 11 months, presents a concerning risk due to the open-source nature of the RAT, granting threat actors easy access to abuse this tool. The threat actors orchestrating this campaign exhibit a level of precision in their target selection. Of particular concern is their inclusion of high-value targets, including those responsible for "managing key infrastructure in the US," Martinez notes. Samples of AsyncRAT analyzed by Alien Labs exceeded over 300 samples which included over 100 domains.

During the 11 months from February 2023 to December 2023, a surge in activity was reported during August and early September 2023. The highest volume of malicious samples was observed in order during the months of October, November, and August. The infection chain of this campaign involves the use of phishing emails targeting specific individuals in certain companies. These emails lead victims to malicious JavaScript files embedded in phishing web pages. These JavaScript files are highly obfuscated and contain long strings with randomly positioned words, making analysis and detection challenging. The campaign also uses obfuscated PowerShell scripts in later stages. The ultimate goal is to execute an AsyncRAT client on the victim's system.

The threat actors place heavy emphasis on efforts to evade defenses. "On top of modifying the C&C and URL every so often, the threat actor tries to generate a completely new version of the loader for each victim. The new files carry new randomized variable names, or a new constant subtracted to get the ASCII representation of the URL, which makes detection techniques difficult to perform consistently," Martinez explains. They also employ domain generation algorithms (DGA) to generate new domains regularly, making it challenging to block their infrastructure. Additionally, the threat actors use anti-sandboxing techniques to determine if a system is a virtual machine or sandbox, allowing them to avoid detection by sandbox technology.

The network infrastructure used in this campaign includes domains with uncommon characteristics, such as top-level domains (TLDs), eight random alphanumeric characters, and registrant organization names like 'Nicenic.net, Inc.' These domains are updated frequently, and some are generated automatically based on the current date, allowing the threat actors to continuously change their command and control (C&C) domains. The hosting of these domains is observed on providers like BitLaunch and DigitalOcean, with some connections to cryptocurrency payments. The Alien Labs team refrained from attributing the campaign to any particular adversary or threat group.