AsyncRAT Malware Campaign Exploits Bitbucket to Deliver Multi-Stage Attack
G DATA Security Lab recently uncovered a sophisticated malware campaign leveraging Bitbucket, a popular code hosting platform, to deploy AsyncRAT, a well-known remote access trojan (RAT). According to the report, attackers utilized a multi-stage attack strategy, exploiting Bitbucket to host and distribute malicious payloads while evading detection.
The malware operators used multiple layers of Base64 encoding to obfuscate the code and conceal the true nature of the attack. “After peeling back those layers we were able to uncover the full story and key indicators of compromise (IOCs) we found while analyzing the AsyncRAT payload delivery,” the report explains.
Bitbucket’s legitimate reputation as a platform for software development has made it an attractive target for cybercriminals. The attackers used Bitbucket repositories to host various malicious payloads, including the AsyncRAT. “Attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads,” the researchers noted, emphasizing that this method provides “legitimacy” and “accessibility” for distributing the malware.
The attack begins with a phishing email containing a malicious VBScript file titled “01 DEMANDA LABORAL.vbs,” which executes a PowerShell command. This initial stage obfuscates and delivers the payload through multiple layers of string manipulation and Base64 encoding. “The VBScript constructs and executes a PowerShell command, effectively transitioning the attack to the next stage,” the report states.
In the second stage, the PowerShell script downloads a file from a Bitbucket repository. This file, named “dllhope.txt,” is a Base64-encoded payload that is decoded into a .NET compiled file, revealing the true nature of the AsyncRAT malware.
Once successfully delivered, AsyncRAT grants attackers full remote control over the infected system. “AsyncRAT provides attackers with extensive control over infected machines, enabling them to perform a wide range of malicious activities,” G DATA’s analysis confirms. These activities include remote desktop control, file management, keylogging, webcam and microphone access, and the execution of arbitrary commands.
The report also highlights the attackers’ use of anti-virtualization checks to avoid detection in sandbox environments. “If the flag parameter contains ‘4,’ the code checks for the presence of virtualization tools like VMware or VirtualBox, likely to avoid analysis,” G DATA stated. Persistence is established through multiple mechanisms, including Windows registry modifications and the creation of startup shortcuts, ensuring the malware remains active even after the system reboots.
