One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8435043 |
| Date de publication | 2024-01-05 11:00:00 (vue: 2024-01-05 11:09:06) |
| Titre | Chardeur asyncrat: obscurcissement, DGA, leurres et Govno AsyncRAT loader: Obfuscation, DGAs, decoys and Govno |
| Texte | Executive summary
AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
Key takeaways:
The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the US.
The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections.
As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.
DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.
The ongoing registration of new and active domains indicates this campaign is still active.
There is an OTX pulse with more information.
Analysis
AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github. As with any remote access tool, it can be leveraged as a Remote Access Trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include: Keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.
Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro.
In early September, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. The gif attachment led to a svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023. The registration of domains and subsequent AsyncRAT samples is still being observed at the time of writing this blog.
Figure1: Number of samples observed by Alien Labs in this campaign.
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
Figure 2. Execution flow.
During the whole campaign, JavaScript files have been delivered to targete |
| Envoyé | Oui |
| Condensat | $/ur $/wr $env:computername $external $home $url &key= &s= “ivan ‘conhost ‘hello ‘iex ‘nicenic ‘welcome /u; 001: 007: 0a| 0a|connection|0d 0a|host|0d 0a|user 100 1000 102 117 12000 122442 123290835 130 13000 131 138 141 144 15; 18; 19309572834 19; 2016 2017 2019 2020 2023 2023: 2024 2048662 20; 20|windows|20|nt|20| 23; 2803759539 2854153: 2855344: 2855345: 28|windows|20|nt|3b 29dcf858f36f68827696a9a3ea1b4a821180569ab297d2f73c740b15832302d3 300 30122468073 30; 399629 45069878512 4677137650 58100085349 58812154367 6542 6eb9f82c1b93fa4d6a79f2c06e65f83b; 70692379937 83686513507 a421881aeb4234317f9acc31e0b6e320;classtype:trojan above accepts access active activities activity activity; actor actor’s actors actually adapterdactype add added addition additional additionally additions addresses ae549e5f222645c4ec05d5aa5e2f0072f4e668da89f711912475ee707ecc871e africa after afterwards again against agent; agent|0d aiding alert algorithm alien all allowed allowing allows alphanumeric already also alterations alternative always among amount analog analysis analyzing and/or ankit anonymity answer answers anti antivirus anubhav anubhav/status/1636714527218880515 any app appear appears appendix application apt are are: around array ascii asn assembly assigned associated asyncrat at&t att&ck att&ckthe attachment attack attacker attempt attracts attributes automatic automatically available avoid back base64 based because been before behavior being benign berberoka between bit bitcoin bitlaunch blocked blog bochs bound bridge broaden brute bruteforce build but c&c c&c‘s calculate calculations campaign campaigns can carefully carries carry case category certain change changing channels character characteristic characteristics characteristics: characters cheapest checkin checking checks chip cibgbgfjcmlbmcd ciphered ciphering cited classtype:bad classtype:trojan clear clearly client cnc code com/ankit com/connect/blogs/shady com/reecdeep/status/1715053326859895210; combined come command command/answer commands commands/strings commented common commonly companies completely composed computer concerned conclusion confidence configuration configure consistent consistently constant constantly contain contains contemplated content: control converted converter converts copied correct corresponds could count country create created critical crypto cryptocurrencies curl current cybercriminals dac data date day days dec: december decimal decode decoding decompiled decompressing decoy decoyclient decoys decrypt decrypting default defense deliver delivered delivering delivery deobfuscate/decode deploy deploying deployment depth:20; depth:22; depth:36; described description despite detect detectable detected detection detections determined dfmnkgnidkadgcd dga dgas didn’t difference different difficult digital digitalocean digits discretion displayed distance:0; distraction dns does doesn’t domain domains don’t download due during each earlier early earth ec48d692547341789a9205f607983f9cd485435df4fefda1654a5eccbe12bfb0 edggnhnjdnmfljm edr effort efforts either elements elude emails embedded emerging encrypted ending endpoint ends enough ensure environments especially established; ethereum etpro evade evasion even every example execute executed executing execution executive exfiltrated exfiltration expandproperty expect expected expecting extract extracts f5ad2158644b79eb5e5c1226ed9c1597dafde9b3376de5dc3e02673d135b487a fair false family far fast features february figure figure1: file fileless files final find findings first flow flow:established flow:to followed following follows follows: force form former formerly free frequently from functions further furthermore future gdn generate generated generates generation get gets gif github going google govno govno” greater group gunzip had hand hard hardcoded harden has hash= have header headers headless heavily hidden high higher highly hijacking historical hlbibfkimfelcja host host; hosted hostile hostname hosts |
| Tags | Malware Tool Threat Technical |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.