Description
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers and cryptocurrency wallet extensions to exfiltrate data. The infection process includes process hollowing and scheduled task creation to maintain persistence. The threat actors employed obfuscation techniques to evade detection. This case highlights the continued effectiveness of phishing emails as a malware delivery method and the evolving capabilities of remote access tools combined with information-stealing functionalities.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 2, 2024, 4:14 p.m. | Sept. 2, 2024, 4:14 p.m. | Sept. 2, 2024, 4:40 p.m. |
Indicators
d381eeba306533d765ae541fcb737f408abbeeed2f15ae1b1c678adde3960d31
b8631fd49a327589f97232eefc14bec144ef6fdd43d3d79ce9fab3adf8067221
ab2bef5c63ac65904386a02f4c7d9bbceaafa3763aceef24fd7981ca993006a4
5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd
5768a2bfeaa935af64b66bec24cc4d35c7919e1317daa072f8902a7354f3bf8d
104.243.37.35
http://104.243.37.35:222/bfbupdeuiterborm/uzopuzbkrpcziwca.txt
http://104.243.37.35:222/bfbupdeuiterborm/lAOdPuUqwXLVFvqT.jpg.
Attack Patterns
AsyncRAT
T1555.005
T1055.012
T1059.005
T1555.003
T1059.003
T1059.001
T1547.001
T1056.001
T1070.004
T1204.002
T1566
CVE-2024-28986
CVE-2024-7593