Summary:
This article analyzes two distinct methods of infection using AsyncRAT malware via open directories. It highlights the adaptive tactics employed by attackers to exploit publicly accessible files, demonstrating the persistent threat of AsyncRAT through multi-stage infection processes.
Keypoints:
- AsyncRAT is a Remote Access Trojan (RAT) used for spying and data theft.
- Two methods of infection through open directories were identified.
- The first method involves a multi-stage process with multiple scripts and files.
- The second method uses fewer stages but maintains persistence through scheduled tasks.
- Obfuscation techniques are employed in VBS, BAT, and PowerShell scripts to hide malicious activities.
- Analysis of the scripts reveals the creation of scheduled tasks to ensure continuous execution of the malware.
- ANY.RUN sandbox is utilized for deeper analysis of the malware behavior and command and control infrastructure.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Execution (T1203): Exploits vulnerabilities in applications to execute malicious scripts.
- Persistence (T1053): Creates scheduled tasks to maintain access to the compromised system.
IoC:
- Domain: storeroot[.]duckdns[.]org
- Domain: anothonesevenfivesecsned[.]ddns[.]net
- IP Address: 23.26.108.141
- IP Address: 45.126.208.245
- Hash: 7b73596346a36f83b6b540bfc2b779fec228a050e6d7de631d0518b526b9b128
- Hash: 561bb05d2c67fe221646b5af653ef7d1e7e552e6745f980385bd344d8155df0
- Hash: 70733e5f26a5b4d8c3d2bcc9a21cd015cee63dc0f93c819e7c401237f69967fe
- Hash: 2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8
- Hash: d4edb13aa499b39b74912a30c22a1cba6d00694dcb68fa542bdc3d9ab2b66f68
- Hash: 5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd
Full Research: https://any.run/cybersecurity-blog/asyncrat-open-directories-infection-analysis/