On 6 December 2023, the AhnLab Security Emergency Response Center (ASEC) reported new tactics, techniques and procedures (TTPs) observed in connection to an AsyncRAT campaign which, based on the detection time of the observables, was launched in late November 2023 and may be still ongoing.
AsyncRAT is a Windows trojan with a comprehensive set of capabilities including keylogger, remote desktop control as well as serving as an access broker for deployment of further malware threats.
Based on their latest report, ASEC observed the following:
AsyncRAT delivery via phishing emails containing links to download ZIP archive files that, once decompressed, revealed a Windows Script File (WSF). This technique constitutes an innovation as it had not been previously observed in connection with AsyncRAT, and it may be consistent with an attempt to diversify the scripting language as WSF enables to mix languages that would be executed by the Windows Script Host.
The malicious ZIP files are hosted out of domain names with .za.com, com.br, .za, .co top level domains.
The WSF is responsible for fetching a number of Visual Basic Scripts (VBS) that, ultimately, download the AsyncRAT payload and inject it into the aspnet_compiler.exe process.
ASEC observed traffic towards the following command-and-control infrastructure:
hxxp://185.81.157[.]242:222/c.txt
hxxp://185.81.157[.]242:222/x.jpg
drippmedsot.mywire[.]org:6606
drippmedsot.mywire[.]org:7707
drippmedsot.mywire[.]org:8808