Friday, December 8, 2023

AsyncRAT Distributed via WSF Script

The AsyncRAT malware, known for its versatility and stealthiness, has recently been observed to be distributed via WSF (Windows Script File) script format. Here are some key aspects of this distribution method and the malware's characteristics based on various sources:

  • WSF Script Distribution: The AsyncRAT malware, which was previously distributed through files with a .chm extension, is now being disseminated via WSF script format. These WSF files are being distributed in a compressed (.zip) file format through URLs contained in emails. Upon decompression, the zip files yield a file with a .wsf file extension. This change in distribution method indicates an adaptation by the malware distributors to potentially avoid detection and reach a broader range of targets.
  • McAfee Labs Observations: McAfee Labs reported a recent AsyncRAT campaign utilizing a malicious HTML file. The infection strategy employed a range of file types, including PowerShell, WSF, VBScript (VBS), and more. This approach is likely aimed at bypassing antivirus detection measures, demonstrating the malware's evolving tactics to evade standard cybersecurity defenses.
  • Variety in Spreading Strategies: AsyncRAT is known for employing various strategies and tactics to spread its influence. The use of different file formats and distribution methods indicates a highly adaptable malware that can modify its approach based on the target environment and existing cybersecurity measures.

In summary, AsyncRAT's shift to WSF script format for distribution signifies an evolution in its spreading strategy, aiming to bypass traditional security measures and exploit vulnerabilities through sophisticated phishing campaigns. This development emphasizes the need for heightened awareness and robust cybersecurity measures to counter such evolving threats.

IoC

    HOSTNAME

  • drippmedsot.mywire.org

    URL

  • http://za.com/Order_ed333c91f0fd.zip
  • http://drippmedsot.mywire.org:8808
  • http://drippmedsot.mywire.org:7707
  • http://drippmedsot.mywire.org:6606

    SHA256

  • a0064bdcf92b7c1a55a8e88fd4ecb38d27c4d602f7bf5feb18c2304d775d7387
  • 70029e8693a7a5608b442b1944a3f6c11fe2ff1949f26e3f6178472b87837d75
  • 621cd690c8225dc2471fa2d94f6b568d4212baddc1a05a96a0edc9a1bbe6f29c

    SHA1

  • 921bd5cb08b5c6a77a28e2864417bb8cdefafbf0
  • 3b10e9a10fc90e2a0a28f13a84c9b58eeb382dfc

REFERENCES

  • https://asec.ahnlab.com/en/59573/#:~:text=,wsf%20file%20extension
  • https://allinfosecnews.com/item/hackers-deliver-asyncrat-through-weaponized-wsf-script-files-2023-12-07/#:~:text=,variety%20of%20strategies%20and%20tactics
  • https://allinfosecnews.com/item/asyncrat-distributed-via-wsf-script-2023-12-06/
  • https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/
  • https://otx.alienvault.com/pulse/65708908da87706f34dfe252

TAGS

asyncrat, wsf script, bypassing uac, wsf file, powershell, atomic, exodus

at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...