Distribution of AsyncRAT Disguised as Ebook

July 10, 2024, 9:29 a.m.

Description

This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, to maintain persistence and exfiltrate user information while receiving commands from the threat actor. Particular caution is advised due to the potential for widespread distribution via phishing emails and file-sharing websites.

External References

https://asec.ahnlab.com/en/67861/
https://otx.alienvault.com/pulse/668e52df16798200b106ada2
Tags
obfuscation
powershell
persistence
trojan
asyncrat
2024-07-10

Date

  • Created: July 10, 2024, 9:22 a.m.
  • Published: July 10, 2024, 9:22 a.m.
  • Modified: July 10, 2024, 9:29 a.m.

Indicators

  • b8f1fe93386003e82a148e0efd52759bc3be7bc7088537f6d031faec54870fb3
  • a562909c5c9b7b8c20484cd0822e2c379d36a34432ef11306bf1e1f28762aeb6
  • https://worldofprocure.com/worldofprocure.rar
  • stevenhead.ddns.net
  • worldofprocure.com
Download all indicators here!

Attack Patterns

  • AsyncRAT
  • T1064
  • T1059.005
  • T1059.001
  • T1548
  • T1059.007
  • T1497
  • T1070
  • T1057
  • T1083
  • T1569
  • T1036
  • T1027