Executive summary
AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
Key takeaways:
- The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the US.
- The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections.
- As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.
- DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.
- The ongoing registration of new and active domains indicates this campaign is still active.
- There is an OTX pulse with more information.
