AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

AsyncRAT: a large-scale cyber breach

Infiltration and evasive strategies: the RAT that threatens digital security

AsyncRAT, a remote access tool for Windows, was used in a cyberattack to infiltrate and steal data from systems, targeting critical infrastructure in the US.

This pill is also available in Italian language

In the sphere of cybersecurity, a massive infiltration operation was detected and monitored for over 11 months. The protagonist of this offensive scheme is AsyncRAT, a RAT (Remote Access Tool) tool designed for Windows operating systems and released in 2019. AsyncRAT is known for its ability to execute remote commands, intercept keystrokes (keylogging), steal data and deliver additional payloads without the knowledge of end users. Cyber attackers have used this utility in both pure and altered forms to infiltrate and compromise target systems, perform intelligence gathering activities, and spread other malware elements.

Meticulous selection of victims and attack methods

According to the report by Alien Labs, AT&T's research department, the attack campaign was highlighted last September for the acumen in the selection of its victims: carefully vetted individuals and organizations, many of whom managed critical infrastructures on US soil. The deception begins with insidious emails that included GIF attachments, which redirect users to SVG files that trigger the execution of intentionally disguised JavaScript and PowerShell scripts to avoid detection in the preliminary stages of the attack.

The tactic implemented to avoid detection

The primary vehicle for AsyncRAT is a downloader that engages direct communication with a command and control (C2) server to validate the susceptibility of the targeted system to infection. These downloaders, which use a series of C2 domains with encrypted and anonymous payments through the BitLaunch service, are programmed to disclose diversionary payloads if they detect they are in environments dedicated to analytics. A deliberate tactic to mislead researchers and mask malicious activity from cyber intelligence tools.

Anti-sandboxing and attack diversification

The architect of your bootloader performs meticulous checks via PowerShell to identify the use of virtual machines and other protected environments. These checks aim to generate a 'score' based on which the next action is decided. Attackers have been observed to have introduced at least 300 distinct bootloader variants, each with slight variations in code, obfuscation techniques, and parameters to evade detection algorithms and maintain attack effectiveness.

Follow us on WhatsApp for more pills like this

01/11/2024 12:51

Marco Verro

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report