Cybercriminals Exploit Ebooks to Spread AsyncRAT Malware

AsyncRAT cyberattacks
An ebook being distributed with the malware

A recent report from AhnLab Security Intelligence Center (ASEC) reveals new cyberattacks utilizing a novel method to distribute the AsyncRAT remote access trojan (RAT). Disguised as harmless ebooks, these malicious files are spreading through phishing emails and file-sharing platforms, putting unsuspecting users at risk.

An ebook being distributed with the malware | Image: ASEC

This campaign involves compressed files masquerading as ebooks. However, these files contain a hidden payload: a malicious LNK file, a PowerShell script, additional compressed files disguised as videos, and a legitimate ebook file to maintain the facade. The LNK file initiates the attack by executing the PowerShell script, which then cleverly evades detection by security products before deploying AsyncRAT.

ASEC’s analysis uncovered three distinct methods used to execute AsyncRAT, all involving intricate chains of scripts and scheduled tasks:

  1. The first method involves decompressing a file named 4.mkv and registering an XML file to the Task Scheduler under the name “BitTorrent Certificate.” This XML file executes a VBS script, which records system information in a file named “WindowsLogFile.txt” and then runs a PowerShell script. This script loads and executes obfuscated PE files, ultimately launching AsyncRAT.
  2. In the second method, a file named 5.mkv is decompressed, and a VBS script is registered to the Task Scheduler under the name “BitTorrent.” This VBS script runs an AutoHotKey script via a batch file, which then downloads and executes AsyncRAT from a specified URL.
  3. The third method decompresses a file named 8.mkv and registers a PowerShell script in the Task Scheduler under the name “USER ID Converter.” This PowerShell script, obfuscated similarly to the RM.TXT file, directly executes AsyncRAT within the same directory.

The end goal remains the same: to gain remote control of the victim’s system, enabling the attackers to steal sensitive information, install additional malware, and carry out other nefarious activities.

AsyncRAT is a potent RAT known for its robust features, including AntiVM and AntiAV capabilities, persistence mechanisms, and data exfiltration capabilities. Its modular nature allows attackers to customize its behavior based on their objectives, making it a versatile tool in their arsenal.

Users are advised to refrain from opening attachments or downloading files from untrusted emails or websites. Additionally, maintaining updated antivirus software and enabling strong security measures can significantly mitigate the risk of falling victim to such attacks.