Cyble Research and Intelligence Labs (CRIL) has recently revealed a stealthy cyber attack campaign that utilizes malicious LNK files disguised as innocent wallpapers to deliver the infamous remote access trojan (RAT) known as AsyncRAT. This campaign is strategically designed to exploit various vulnerabilities and sophisticated techniques to evade detection and establish persistence on the victim’s system. By incorporating advanced evasion methods like Null-AMSI, this campaign poses a significant cyber risk to users worldwide.
The roots of this campaign have been traced back to a Portuguese-speaking threat actor by Cyble Research and Intelligence Labs. Clues in the form of comments and error messages within the malicious scripts suggest that the attackers are likely from a Portuguese-speaking region, possibly leveraging this linguistic connection to circumvent detection and forensic analysis.
The attack begins with the use of wallpapers featuring popular anime characters like Sasuke Uchiha or Itachi Uchiha as lures to exploit the victim’s interests. These wallpapers contain malicious LNK shortcuts that, when executed, trigger a multi-stage malware attack, culminating in the deployment of AsyncRAT for remote control over the victim’s system.
Upon activation, the LNK file executes an obfuscated PowerShell script that connects to external servers to fetch additional malicious payloads. These payloads operate in memory, avoiding leaving traces on the disk to evade antivirus detection. The encrypted and compressed nature of these payloads further complicates the task for security researchers attempting to analyze them.
A crucial aspect of this campaign is the utilization of Null-AMSI, an open-source tool that enables attackers to bypass the AMSI security feature in Windows, designed to detect and block malicious scripts. By neutralizing AMSI and ETW, Null-AMSI allows the malware to operate without triggering security alerts, ensuring the attackers’ payloads can execute without hindrance.
The infection chain includes the execution of obfuscated PowerShell scripts from the malicious LNK file, downloading encrypted payloads that further obfuscate their actions through AES encryption and GZIP compression. Once decrypted, the final payload deploys AsyncRAT, granting the attacker full remote control over the compromised system.
The attackers use AsyncRAT to steal sensitive data, install additional malware, and execute arbitrary commands on the victim’s machine. The malware conceals itself within encrypted files like wallpapers, distracting the victim while secretly deploying the AsyncRAT payload.
Reflection loading and persistence techniques are employed to ensure the malware runs persistently on the victim’s system, injecting malicious code into PowerShell memory without writing to disk. This allows the malware to remain hidden and execute every time the system restarts.
The campaign’s ability to bypass traditional security measures by exploiting vulnerabilities in PowerShell, AMSI, and ETW demonstrates a concerning trend in the cyber threat landscape. Advanced evasion techniques like Null-AMSI enable attackers to deploy malware like AsyncRAT stealthily without raising security alerts.
To defend against such threats, users are advised to refrain from downloading files or clicking on links from untrusted sources. Antivirus and endpoint solutions should be equipped to detect AMSI bypass techniques, and PowerShell policies should restrict unauthorized scripts. Regular network monitoring and timely system updates are crucial for patching vulnerabilities.
Educating users about phishing, social engineering, and safe browsing practices can also help minimize the risk of similar attacks. Cyble, a leader in AI-powered cybersecurity, offers advanced threat intelligence through its Cyble Vision platform, facilitating real-time monitoring and proactive defense against cyber threats.