HomeCyber BalkansPhishing Campaign Employs Fake Invoice PDF to Distribute AsyncRAT, VenomRAT, and XWorm

Phishing Campaign Employs Fake Invoice PDF to Distribute AsyncRAT, VenomRAT, and XWorm

Published on

spot_img

Phishing Campaign Employing Fake Invoice PDFs

A recent analysis has revealed an intricate phishing campaign that cleverly utilizes a faux invoice PDF as a front for delivering multiple remote access trojans (RATs). The primary focus of this malicious endeavor is AsyncRAT, but it also involves other trojans such as VenomRAT and XWorm, facilitated through layered shortcuts. This strategic approach highlights a shift in how cyber adversaries operate, reflecting a growing trend of abusing legitimate infrastructure to enhance delivery success while evading detection.

This sophisticated attack mechanism draws parallels to an incident from August, previously examined by X‑Labs, which aligns with the group’s insights forecasting that by 2025, adversaries will increasingly exploit legitimate services to bolster their campaigns.

Attack Initiation and Delivery Method

The attack commences with a deceptive phishing email that contains a Dropbox URL, leading the target to download a ZIP archive. Upon extracting and opening this archive, victims encounter an internet shortcut file (.URL) that refers to a TryCloudflare tunnel. This tunnel is pivotal in hosting a .LNK (link) file, which, when executed, triggers a PowerShell command that fetches an obfuscated JavaScript file from the same temporary Cloudflare address.

The JavaScript, once deobfuscated, retrieves a heavily obscured batch (.BAT) file. This is where the main malicious activity occurs: the batch script employs Invoke-WebRequest to download a sizable ZIP file, dubbed ma.zip. Containing what appears to be a legitimate Python package, the ZIP also opens an innocuous-looking invoice PDF in the user’s default web browser. This decoy is essential for craftily deceiving the victim.

Malicious Components within ZIP File

Inside the ma.zip package, most of the files mimic an average Python environment, but a detailed analysis unveils the malicious elements: a script named load.py and five .bin files. The load.py script is base64-obfuscated, and once decoded, it employs the ctypes library to engage with low-level Windows APIs such as VirtualAlloc, RtlMoveMemory, CreateThread, and WaitForSingleObject. Together, these functions allocate executable memory, transfer shellcode, and initiate threads for execution, facilitating a cascade of malicious activities.

According to a report by Forcepoint X-Labs, shared with GBHackers, this is part of an ongoing AsyncRAT malware campaign that utilizes these malicious payloads delivered through suspicious TryCloudflare activity.

Advanced Injection Techniques

The phishing campaign incorporates the Early Bird APC Queue process injection technique, which creates a legitimate process and injects shellcode before its main thread runs. This cunning method can circumvent several antivirus and endpoint detection and response (EDR) measures by executing malicious code almost immediately during the process’s initialization.

Each .bin file is specifically crafted to contain shellcode targeting different RATs. Most of these files inject AsyncRAT into the explorer.exe process, while payload.bin deploys VenomRAT into notepad.exe, and xr.bin targets XWorm. Post-injection, these implants communicate back to the command-and-control infrastructure using various ports, allowing for remote control, data exfiltration, and further lateral movement within the network.

Multi-Stage Attack Chain

The entire attack unfolds through a multi-stage chain: from the ZIP file leading to a .URL shortcut, which in turn leads to a .LNK file, followed by the .JS file that invokes a .BAT script, ultimately extracting the malicious ma.zip file and executing load.py along with the .bin files. This orchestrated sequence combines legitimate cloud services, multi-layered obfuscation, and process-level stealth to keep suspicion and detection at bay.

The strategic use of a decoy PDF is pivotal in their social engineering tactics. While the malicious components operate quietly in the background, the victim is misled by the appearance of a benign invoice.

Countermeasures and Recommendations

In response to this rising threat, cybersecurity defenders are advised to adopt several actionable countermeasures. Monitoring and blocking anomalous usage of TryCloudflare and other rapid tunnel domains in inbound links is essential. Additionally, scrutinizing downloads for unwanted .URL/.LNK files or script-concealing ZIPs should be routine. Organizations are also encouraged to inspect PowerShell command execution for Invoke-WebRequest calls, particularly those that handle the extraction and execution of archives.

Endpoint controls should be enhanced to detect Early Bird injection patterns and memory injections via the specified Windows APIs. Moreover, implementing application control and improved script-blocking protocols can hinder the execution of critical stages in this attack chain.

Lastly, user training remains critical. Reinforcing skepticism regarding unexpected invoice emails and promoting caution against opening contents from archives without proper verification can help mitigate risks.

Forcepoint’s exploration and findings further elaborate on a continuing trend: adversaries are set to increasingly exploit low-cost, legitimate hosting and tunneling services in their pursuit of higher campaign resilience and effectiveness.

By comprehensively understanding and addressing the mechanisms employed in such campaigns, organizations can enhance their security posture against these evolving threats.

Source link

Latest articles

Device Code Phishing Featuring Selena Larson

Understanding the Evolving Landscape of Cyber Threats: Insights from Selena Larson Recent discussions in the...

How Dragos Acquisition Enhances Accenture’s OT Security Capabilities

Joint Accenture-Dragos Platform Enhances Operational Technology Security In a significant development in the realm of...

Lobster Heists and Bourbon Warehouse Scams

In recent months, the issue of sophisticated cargo theft has drawn increasing attention, particularly...

AI Adoption Increases as Cybersecurity Burnout Escalates

The Evolving Landscape of Cybersecurity: AI's Impact and Professional Sentiment In a recent study conducted...

More like this

Device Code Phishing Featuring Selena Larson

Understanding the Evolving Landscape of Cyber Threats: Insights from Selena Larson Recent discussions in the...

How Dragos Acquisition Enhances Accenture’s OT Security Capabilities

Joint Accenture-Dragos Platform Enhances Operational Technology Security In a significant development in the realm of...

Lobster Heists and Bourbon Warehouse Scams

In recent months, the issue of sophisticated cargo theft has drawn increasing attention, particularly...