An ongoing cybersecurity threat campaign focused on delivering the AsyncRAT (Remote Access Trojan) is reported by AT&T Alien Lab security researcher, Fernando Martinez. This campaign, spanning at least 11 months, presents a concerning risk due to the open-source nature of the RAT, granting threat actors easy access to abuse this tool. The threat actors orchestrating this campaign exhibit a level of precision in their target selection. Of particular concern is their inclusion of high-value targets, including those responsible for "managing key infrastructure in the US," Martinez notes. Samples of AsyncRAT analyzed by Alien Labs exceeded over 300 samples which included over 100 domains.
The threat actors place heavy emphasis on efforts to evade defenses. "On top of modifying the C&C and URL every so often, the threat actor tries to generate a completely new version of the loader for each victim. The new files carry new randomized variable names, or a new constant subtracted to get the ASCII representation of the URL, which makes detection techniques difficult to perform consistently," Martinez explains. They also employ domain generation algorithms (DGA) to generate new domains regularly, making it challenging to block their infrastructure. Additionally, the threat actors use anti-sandboxing techniques to determine if a system is a virtual machine or sandbox, allowing them to avoid detection by sandbox technology.
The network infrastructure used in this campaign includes domains with uncommon characteristics, such as top-level domains (TLDs), eight random alphanumeric characters, and registrant organization names like 'Nicenic.net, Inc.' These domains are updated frequently, and some are generated automatically based on the current date, allowing the threat actors to continuously change their command and control (C&C) domains. The hosting of these domains is observed on providers like BitLaunch and DigitalOcean, with some connections to cryptocurrency payments. The Alien Labs team refrained from attributing the campaign to any particular adversary or threat group.