Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

Sept. 2, 2024, 4:40 p.m.

Description

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers and cryptocurrency wallet extensions to exfiltrate data. The infection process includes process hollowing and scheduled task creation to maintain persistence. The threat actors employed obfuscation techniques to evade detection. This case highlights the continued effectiveness of phishing emails as a malware delivery method and the evolving capabilities of remote access tools combined with information-stealing functionalities.

Date

Published: Sept. 2, 2024, 4:14 p.m.

Created: Sept. 2, 2024, 4:14 p.m.

Modified: Sept. 2, 2024, 4:40 p.m.

Indicators

d381eeba306533d765ae541fcb737f408abbeeed2f15ae1b1c678adde3960d31

b8631fd49a327589f97232eefc14bec144ef6fdd43d3d79ce9fab3adf8067221

ab2bef5c63ac65904386a02f4c7d9bbceaafa3763aceef24fd7981ca993006a4

5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd

5768a2bfeaa935af64b66bec24cc4d35c7919e1317daa072f8902a7354f3bf8d

104.243.37.35

http://104.243.37.35:222/bfbupdeuiterborm/uzopuzbkrpcziwca.txt

http://104.243.37.35:222/bfbupdeuiterborm/lAOdPuUqwXLVFvqT.jpg.

Attack Patterns

AsyncRAT

T1555.005

T1055.012

T1059.005

T1555.003

T1059.003

T1059.001

T1547.001

T1056.001

T1070.004

T1204.002

T1566

CVE-2024-28986

CVE-2024-7593