Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The actor utilized a phishing email with a malicious attachment to deliver AsyncRAT.
- Post initial compromise, lateral movement was executed using legitimate credentials.
- Detection of AsyncRAT behavior can be enhanced through monitoring for unusual registry modifications and outbound traffic on non-standard ports.
Executive Summary
During our investigation of a recent phishing campaign, we uncovered a sophisticated use of the AsyncRAT malware, facilitating data exfiltration from compromised endpoints. The attack began with a convincing phishing email that contained a malicious Word document, which upon opening, dropped and executed AsyncRAT. This post provides a detailed analysis of the attack vector, the techniques employed by the attackers, and recommendations for detection and mitigation.
Initial Access
The initial access vector involved a phishing email targeting employees in a corporate environment. The emails appeared legitimate, containing content relevant to ongoing business initiatives. The attachment was a Word document encrypted with a password, enticing users to open it. Upon enabling macros to view the content—prompted by the document—the trojanized macro code executed, resulting in the download of AsyncRAT from a remote URL. We noted the URL was a compromised legitimate domain that the attack actor used to evade detection during initial phases.
Execution & Persistence
Once AsyncRAT was successfully downloaded, it utilized a combination of techniques to ensure persistence and execution. The malware modified the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to add a new entry for itself. This step ensured that the malware executed at every user logon. Additionally, we observed that AsyncRAT established a scheduled task to maintain its presence, often creating tasks with names designed to blend in with normal system operations.
Command and Control
The command and control (C2) infrastructure leveraged by the attackers was well-constructed to obfuscate their operations. The AsyncRAT variant used encrypted channels to communicate with its C2 server, and employed DNS tunneling techniques to exfiltrate data. The actor utilized non-standard ports, often avoiding common protocols like HTTP or HTTPS, thereby increasing the challenge for traditional security measures. Our analysis identified several beaconing patterns indicative of failed C2 communications when the server experienced downtime, suggesting the actor had prepared multiple fallback domains.
Lateral Movement & Discovery
During the lateral movement phase, the AsyncRAT implant gave the attackers the ability to use legitimate credentials harvested from the victim’s machine. This allowed them to traverse the network undetected. The malware employed techniques such as T1078 – Valid Accounts to exploit any cached credentials, subsequently accessing other systems within the network. We identified TCP connections to various machines that appeared normal at first glance but were established without the corresponding user accounts being aware.
Impact & Objectives
The specific objectives of the attack included data exfiltration and persistence within the network. The AsyncRAT implant had the capability to steal sensitive information, including financial data, emails, and documents stored on the compromised endpoint. During our investigation, we found outbound traffic that indicated exfiltration of both compressed files and individual data points, highlighting a systematic approach to data theft. The thorough enumeration of files and directories by AsyncRAT indicated that the actor intended to carry away as much sensitive information as possible.
MITRE ATT&CK Mapping
- T1566 – Phishing: The initial vector for delivering the AsyncRAT implant.
- T1059 – Command and Scripting Interpreter: The execution of malicious macros within the Word document.
- T1071 – Application Layer Protocol: The use of DNS tunneling for C2 communications.
- T1078 – Valid Accounts: Utilization of valid credentials for lateral movement.
Detection Opportunities
- Monitor and analyze outbound DNS requests for unusual domain resolutions.
- Implement file integrity monitoring for critical registry keys, especially those tied to startup processes.
- Deploy honeypots to capture and analyze traffic from unexpected outbound connections.
Analyst Notes
This investigation underscores the need for rigorous email filtering capabilities to detect phishing attempts at the gateway. Moreover, education and awareness programs should be implemented to empower users against similar attacks. Leveraging Endpoint Detection and Response (EDR) solutions to identify anomalous behaviors related to file and registry access will greatly enhance an organization’s security posture against AsyncRAT and similar threats.
Source: Original Report