Cybercriminals are using new evasive techniques to inject AsyncRAT malware

The AsyncRAT Malware

Hackers are employing a new evasive technique in order to distribute AsyncRAT malware. A new, sophisticated phishing attack has been identified that is distributing the threat as part of a malware campaign that is believed to have begun in September 2021 and is still ongoing.


AsyncRAT (a remote access trojan) is being delivered through a simple email phishing tactic with an HTML attachment, according to a report by Michael Dereviashkin, a security researcher at enterprise breach prevention firm Morphisec.

Threats such as AsyncRAT are often used to establish a remote connection between a threat actor and a victim’s device, steal information, or perform surveillance via microphones and cameras. They feature an assortment of powerful capabilities that allow the attackers to fully monitor and control the infiltrated machines. Oftentimes, such pieces of malware are used in conjunction with other malware.

This type of intrusion usually begins with an email message that contains an HTML attachment that seems to be an order confirmation receipt (for example, Receipt-[some digits].html). When the decoy file is opened, the message receiver is redirected to a web page that prompts him or her to save an ISO file.

However, unlike other RAT campaigns that direct the victim to a phishing domain that has been set up specifically for the purpose of downloading the next-stage malware, the latest RAT campaign cleverly employs JavaScript to locally create an ISO file from a Base64-encoded string and mimic the process of downloading it.

In his report, Dereviashkin explains that the ISO download is not created from a distant server, but rather from within the victim’s browser by a JavaScript code that is placed inside the HTML receipt file.

Upon opening, the ISO file it is automatically mounted as a DVD Drive on the Windows host and contains either a.BAT or a.VBS file, which allows the infection chain to continue to the next level by executing a PowerShell command.

Thе result of that is the execution of a.NET module in memory, which then acts as a dropper for three files — each of which serves as a trigger for the next — to deliver AsyncRAT as the final payload. The same module also checks for antivirus software and sets up Windows Defender exclusions, among other things.

Aside from that, Morphisec’s report puts an emphasis on the campaign’s sophisticated methods, which allow the virus to pass practically undetected by most antimalware engines despite the malware-distribution operation having been in place for nearly five months. As per the information that has been disclosed, AsyncRAT is designed to remotely monitor and control its infected computers through a secure, encrypted connection.


About the author


Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment