1. Overview
AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2]
In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware. In a similar vein, there have been cases recently where the malware was disguised as an ebook.
2. Malware Executed via Scripts
The compressed file disguised as an ebook contains a malicious LNK file disguised with a compressed file icon, a text file containing a malicious PowerShell script, additional compressed files disguised with a video file extension, and a normal ebook file. The LNK file contains malicious commands and reads the RM.TXT file containing the PowerShell script to execute it.
RM.TXT consists mostly of meaningless strings to conceal the malicious PowerShell script. The actual script changes the property of the folder containing the downloader malware to hidden and executes an obfuscated script.
The obfuscated script scans for security products in the system. Based on the scan result, the script executes the malware within the compressed files disguised with a video file extension.
2.1. Method1
The Method1 function decompresses 4.mkv and registers the XML file that executes the “NTUSER.BAT{428f9636-1254-e23e3-ada2-03427pie23}.TM.VBS” script under the name “BitTorrent Certificate” to the Task Scheduler.
The executed VBS file records system information in the file named “WindowsLogFile.txt” and executes the PowerShell script through a batch file (NTUSER.BAT{428f9636-1254-ee23-ada2-080027dede23}.TM.bat).
The executed PowerShell script (NTUSER.DAT{428f1209-1254-11ef-ada2-080027dede23}.TxR.1.ps1) loads the blf files (NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf and NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf) which are obfuscated PE files and executes AsyncRAT.
2.2. Method2
The Method2 function decompresses 5.mkv and registers the task schedule that executes the VBS script within the compressed file under the name “BitTorrent”. The VBS script executes the AutoHotKey script through the batch file and ultimately downloads AsyncRAT from the URL shown below to run it.
2.3. Method3
The Method3 function decompresses 8.mkv and registers the task schedule that executes the PowerShell script within the compressed file under the name “USER ID Converter”. The PowerShell script is obfuscated in the same way as the RM.TXT file and ultimately executes AsyncRAT in the same directory directly.
3. AsyncRAT
AsyncRAT that is executed in the end has features such as AntiVM, AntiAV, maintaining persistence, and exfiltrating user information. It can also perform various malicious behaviors by receiving commands from the threat actor.
AsyncRAT has been constantly distributed with various file extensions and methods. Particular caution is advised for users because the type that is disguised as a normal book can not only be distributed via phishing emails but also shared on file-sharing websites.
[File Detection]
– Trojan/Script.Agent.SC200228 (2024.06.25.00)
– Trojan/BAT.Agent.SC200230 (2024.06.25.00)
– Trojan/VBS.Agent.SC200225 (2024.06.25.00)
– Trojan/BAT.Agent.SC200226 (2024.06.25.00)
– Malware/Win.Generic.C5643757 (2024.06.23.03)
[IoCs]
MD5s
– dea45ddf6c0ae0f9f3fde1bfd53bc34f (VideoVLC_subtitles.exe)
– b8d16e9a76e9f77975a14bf4e03ac1ff (RM.TXT)
– 50005f22608e93dff1d9ed18f6be95d3 (Business Secrets from the Bible – Rabbi Daniel Lapin.LNK)
– 1ada2c6796a3486b79c5eb47fce9b19c (worldofprocure.rar)
– 21714b248ab9ca42097a7834251a7452 (NTUSER.vbs{428f9636-1254-e23e3-ada2-03427pie22}.TM.vbs)
C&C Server
– stevenhead.ddns[.]net
Download URL
– hxxps://worldofprocure[.]com/worldofprocure.rar
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Distribution of AsyncRAT Disguised as Ebook appeared first on ASEC BLOG.