The infamous malware AsyncRAT has appeared online once again via a phishing campaign. This time, the attackers have designed a sneaky strategy to evade detection by most security tools.
AsyncRAT Malware Phishing Active In The Wild
According to a post from Morphisec researchers, a phishing campaign active in the wild is infecting victims with AsyncRAT malware.
Specifically, AsyncRAT first caught the attention in mid-2021 when it specifically targeted the aerospace and travel sectors. Like any other trojan, AsyncRAT (or RevengeRAT) also aims at stealing victim’s data.
And now, it’s once again active against various organizations via a stealth phishing campaign.
As elaborated, the phishing emails delivering this malware include an HTML attachment, opening which prompts the user to download an ISO file. While the victim would believe that the downloaded file would pass through security checks, it actually escapes them all. That’s because the ISO file never comes from a server, rather from the HTML attachment.
Explaining this phenomenon, the researchers stated,
The ISO file is not being delivered as a file blob object over the network, but instead it is being delivered as a base64 string. This base64toblob function gets a Base64 encoded string as an input and is responsible for the decoding to ASCII by a window.atob. Next, the result is converted to a byte array from which a new blob is created. The blob type is set according to a given mime type (in this case, application/octet-stream)… the blob is injected as part of the URL object while mimicking the download of the ISO file as if it had been delivered remotely.
Opening this ISO file executes the next step of injecting the malware dropper (.NET module), which then performs various evasive checks to skip detection. Ultimately, the AsyncRAT malware reaches the device as the final payload.
Given its sneakiness, users must remain very careful when clicking on email attachments. Ideally, users should avoid clicking on any unsolicited emails (even from legit senders) until separately verifying the email’s validity.