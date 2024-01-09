For the past 11 months a threat group has been targeting employees in various companies with phishing emails that distribute an open-source trojan program called AsyncRAT. The targets included companies managing key infrastructure in the US.

According to AT&T’s Alien Labs cybersecurity division, the attackers’ command-and-control (C&C) infrastructure uses a domain generation algorithm (DGA) to rotate through a high number of domains to make traffic blocking harder. They always generate new samples of the malicious tool to evade detection. The researchers have identified more than 300 samples and 100 domains associated with this campaign.

“​​AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github,” the researchers said in their report. “As with any remote access tool, it can be leveraged as a remote access trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.”

It is not unusual for even sophisticated threat actors to use open-source malware frameworks and tools. They provide several benefits such as low development costs compared to custom tools and plausible deniability since the tools are not associated with one actor. In fact, AsyncRAT itself was used in 2022 by an APT group that security firm Trend Micro tracks as Earth Berberoka or GamblingPuppet.

Highly obfuscated malware delivery scripts

The phishing emails seen by Alien Labs and other researchers including Microsoft’s Igal Lytzki used a thread hijacking technique to direct users to a phishing page, which eventually dropped a JavaScript (.js) file on users’ computers.

If opened in Notepad, the script contains a lot of random English words that are commented out, although variants that used Sanskrit characters have also been reported in the past by other researchers as part of other campaigns. The script is highly obfuscated with functions that hide and extract the actual malicious code from different parts of the file. The goal of the script is to download the second stage payload from an URL, which is itself encoded using a custom cipher and decimal values instead of ASCII characters.