A sophisticated phishing attack has emerged, delivering the AsyncRAT trojan as part of a malware campaign believed to have started in September 2021. This campaign has raised significant concerns among cybersecurity experts due to its innovative approach and potential for widespread damage.

According to Michael Dereviashkin, a security researcher at Morphisec, the attack begins with an email containing an HTML attachment disguised as an order confirmation receipt, such as “Receipt-.html.” When the victim opens this file, they are directed to a web page that prompts them to save an ISO file. Unlike traditional phishing attacks, which typically redirect users to a malicious website, this latest campaign cleverly utilizes JavaScript to generate the ISO file locally from a Base64-encoded string, mimicking the download process.

This method of creating the ISO file within the victim’s browser exemplifies advanced tactics that could easily evade detection. When the recipient opens the ISO file, it is mounted as a DVD Drive on their Windows system. It contains a batch (.BAT) or Visual Basic Script (.VBS) file that prepares the ground for subsequent infections by executing a PowerShell command to retrieve further components.

Once the infection chain is initiated, a .NET module is executed in memory, functioning as a dropper for three additional files—one of which acts as a trigger for the next stage, ultimately delivering AsyncRAT as the final payload. Notably, the campaign deliberately checks for antivirus software and sets Windows Defender exclusions to optimize its chances of success.

AsyncRAT, a remote access trojan, allows attackers to establish a connection with compromised devices, facilitating data theft and surveillance via microphones and cameras. The malware’s capabilities extend to comprehensive monitoring and control over infected systems. This widespread surveillance capability serves as a stark reminder of the potential threats facing organizational security.

Morphisec has highlighted the campaign’s ability to remain under the radar of most malware detection engines, with reports indicating it has operated for nearly five months without being detected. Such evasion techniques are crucial in understanding the adversary’s tactics, as outlined by the MITRE ATT&CK framework. The methods employed in this incident likely fall under categories such as initial access, execution, persistence, and defense evasion.

Business owners should remain vigilant regarding email hygiene and critically assess attachments before opening them. Implementing robust cybersecurity defenses, alongside employee training on recognizing phishing attempts, can mitigate the risks associated with such sophisticated malware campaigns.

This incident underscores the importance of constant vigilance and proactive measures in cybersecurity strategy. The threat landscape continues to evolve, necessitating a comprehensive understanding of the tactics employed by adversaries.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.