One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8649470 |
| Date de publication | 2025-02-21 05:30:52 (vue: 2025-02-21 06:08:00) |
| Titre | Ghost in the Shell: Null-AMSI Evading Traditional Security to Deploy AsyncRAT |
| Texte | 
Key Takeaways
Cyble Research and Intelligence Labs (CRIL) identified a campaign that utilizes malicious LNK files disguised as wallpapers to trick users into executing them.
The malware uses a multi-stage execution process, using obfuscated PowerShell scripts to fetch additional payloads from the remote server.
The Threat Actor (TA) behind this campaign leverages the open-source tool Null-AMSI to bypass the malware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
The PowerShell script used to bypass AMSI and ETW contains comments and error messages in Portuguese, suggesting that the TA may be a Portuguese-speaking individual or group.
The malware employs AES encryption and GZIP compression to conceal its payloads, making it harder for security tools to analyze and detect malicious components.
The final payload is executed into memory using reflection loading, bypassing traditional security measures while ensuring persistence and executing AsyncRAT for remote control.
Overview
Cyble Research and Intelligence Labs (CRIL) identified a campaign likely orchestrated by a Portuguese-speaking TA, as evidenced by the comments and error messages present in one of the malicious scripts. While the initial infection vector remains unknown, the campaign distributes malware through a deceptive shortcut file.
Specifically, the campaign uses a malicious LNK file disguised as a wallpaper featuring popular animated characters, indicating that the TA is exploiting users\' interests to increase the likelihood of infection. When executed, the shortcut file initiates a series of mali |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | /v:on 001 002 04fc833b59af93308029d3e87c85e327a1e480508bc78b6a4e46c0cbd65ea8dc 0x00 0x14 0x55 0xb8 0xc2 0xc3 0xff 1024x512 165 173 256 26e91d3218cbd4f45da9f293f9647a1dfbf9d3d03aad5bd9ce85423d6e75450c 2nd 300x150 44444b5a4af7742b779a70af5ac7e443cd077ed924924e86f9de2ff932e43e74 5abf73e0b8d2298167801995077fa414d2e2be2051aff75ad13bfd34d3ed6590 8kuv 8zov ability access achieves actions activities activity actor add added additional additionally address addresses advanced aes after alarms alerts allowing allows along also altering always amsi amsi/etw amsi” analysis analyze animated anime another anti antimalware antivirus any api apis appears application applications applies applying approach are argument array aspect associated asyncrat att&ck® attack attacker attacks attempting authenticity author autostart available avoid background backslashes base64 bat batch bat” before begin behind being below benign bit block blocklisted blog boot both browsing but bypass bypassing byte bytes c&c call campaign can caption= carry carrying cautious cbc chain changes changing channels character characters chunks claims cleaning cmd code com/tamnd/ac7f7b/1739357320/output com/wp command commands comments completion complicates complicating components compression compromise compromised conceal concealed conclusion configure connections contains content content/uploads/2025/02/asyncrat contents context control copied copies copying created creates creating cril critical current currently cyberchef cyble data date deceptive decoded decompressing decompression decrypted decrypted/decoded decrypted/decompressed decryption decrypts defense defenses: defining delayed delegate delivers demonstrated demonstrates deobfuscate/decode deploy deployment description designed detect detected detecting detection direct directly directory disable disables disabling disguised disk displays distracted distributes dll dll” domain downloaded downloading downloads dynamic dynamically each edr educate effective effectively element elements email embedded employing employs enable enables enabling encoded encrypted encryption endpoint engineering english ensure ensuring error especially etw etweventwrite evade evades evading evasion event evidenced exe executable executables execute executed executes executing executingassembly execution execution: execution: registry expansion exploiting expression external extract extracted extracts f76e582e0b43caad6db6665a17341d94c709ca09dd3e36fc3e588e4566d81502 falling features featuring fetch figure file file= filename files filtering final finally finds first flagged folder following forcing found from full function functions functions: further get getmanifestresourcestream getmodulehandle getprocaddress getting ghost github given granting grants group gzip hand hardcoded harder harmful highly however https://cyble hxxps://0x0 hxxps://tempsend identified identify image immediately impair implement implemented including incorporates increase indicating indicator indicators individual infection information initial initiates install instruction intelligence interacts interests interface interpreter: invoke invoked invoking iocs its itself jpg keep key keys known labs large layer leading leaving leverages library like likelihood likely line lines linking links lnk load loader loading loads logging logon looking looks lure luring machine main making malicious malware manifest manipulates maps marker may measures mechanisms media medium memory message messages method methods mitre mode modifications modifies modify modifying monitor more multi name named names naruto native net network next null nullamsi obfuscate obfuscated object observed obtain often once one open opening operating operation orchestrated original other out outbound output over overall overview overwrites page parameter passed passes patch patches patching payload payloads performing performs persistence phishing pointer policies popular portuguese powershell practices prefixed present prevent preventing previously procedure process produc |
| Tags | Spam Malware Tool Vulnerability Threat Patching |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.