RAT Dropped By Two Layers of AutoIT Code

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved through a startup shortcut. The second layer of AutoIT code is heavily obfuscated and ultimately spawns a process injected with the final malware, likely AsyncRAT or PureHVNC. The attack utilizes various techniques including file downloads, script execution, and process injection to deliver and maintain the malicious payload.

Pulse ID: 682afb96260a8200f94a1698
Pulse Link: https://otx.alienvault.com/pulse/682afb96260a8200f94a1698
Pulse Author: AlienVault
Created: 2025-05-19 09:36:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #Autoit #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #ScriptExecution #VNC #bot #hVNC #AlienVault

Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 854 (740)
⬆️ #Remcos 652 (524)
⬆️ #Asyncrat 482 (323)
⬆️ #Xworm 467 (415)
⬆️ #Snake 347 (336)
⬇️ #Agenttesla 268 (288)
⬆️ #Amadey 239 (186)
⬆️ #Dcrat 136 (85)
⬆️ #Stealc 136 (82)
⬆️ #Gcleaner 120 (90)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=190525

Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 753 (524)
⬆️ #Remcos 556 (130)
⬆️ #Xworm 427 (163)
⬆️ #Asyncrat 349 (165)
⬆️ #Snake 342 (182)
⬆️ #Agenttesla 299 (119)
⬆️ #Amadey 194 (185)
⬇️ #Neconyd 190 (286)
⬆️ #Quasar 114 (74)
⬆️ #Dcrat 87 (74)

👉 Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=120525

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 524 (557)
⬆️ #Tofsee 347 (333)
⬆️ #Neconyd 286 (264)
⬆️ #Amadey 185 (150)
⬇️ #Snake 182 (252)
⬇️ #Asyncrat 165 (285)
⬇️ #Xworm 163 (305)
⬇️ #Remcos 130 (227)
⬆️ #Agenttesla 119 (113)
⬆️ #Stealc 103 (84)

🚀 Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=050525

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 569 (1077)
⬆️ #Tofsee 363 (263)
⬇️ #Xworm 309 (1099)
⬇️ #Asyncrat 290 (395)
⬆️ #Neconyd 283 (169)
⬇️ #Snake 254 (379)
⬇️ #Remcos 232 (566)
⬇️ #Amadey 156 (380)
⬆️ #Formbook 134 (78)
⬇️ #Agenttesla 114 (271)

Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=280425

Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Watch Out!🚨 New phishing scam targets hotel staff with fake #Booking.com emails. A fake CAPTCHA leads to AsyncRAT malware via a Windows Run trick.

Read more: https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/

#CyberSecurity #AsyncRAT #Phishing #Scam

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 592 (644)
⬇️ #Snake 306 (513)
⬇️ #Xworm 281 (341)
⬇️ #Asyncrat 277 (303)
⬆️ #Tofsee 264 (194)
⬆️ #Remcos 240 (203)
⬇️ #Agenttesla 195 (326)
⬆️ #Neconyd 169 (154)
⬆️ #Amadey 108 (95)
⬆️ #Quasar 91 (82)

Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=210425

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 630 (647)
⬆️ #Tofsee 529 (524)
⬇️ #Xworm 305 (789)
⬇️ #Snake 251 (376)
⬆️ #Neconyd 218 (36)
⬇️ #Asyncrat 165 (377)
⬇️ #Amadey 146 (962)
⬇️ #Remcos 127 (876)
⬇️ #Agenttesla 116 (145)
⬆️ #Quasar 111 (107)

🛡️ Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=140425

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 630 (647)
⬆️ #Tofsee 529 (524)
⬇️ #Xworm 305 (789)
⬇️ #Snake 251 (376)
⬆️ #Neconyd 218 (36)
⬇️ #Asyncrat 165 (377)
⬇️ #Amadey 146 (962)
⬇️ #Remcos 127 (876)
⬇️ #Agenttesla 116 (145)
⬆️ #Quasar 111 (107)

🛡️ Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=070425

#Cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Amadey 963 (156)
⬇️ #Remcos 880 (923)
⬇️ #Xworm 792 (967)
⬆️ #Lumma 673 (659)
⬆️ #Tofsee 535 (144)
⬆️ #Snake 403 (326)
⬇️ #Asyncrat 380 (433)
⬇️ #Stealc 157 (171)
⬇️ #Agenttesla 153 (245)
⬇️ #Vidar 151 (178)

🛡️ Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=310325

#Cybersecurity #infosec

Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 983 (391)
⬆️ #Remcos 936 (172)
⬆️ #Lumma 686 (531)
⬆️ #Asyncrat 436 (279)
⬆️ #Snake 346 (315)
⬆️ #Agenttesla 251 (161)
⬇️ #Dcrat 189 (192)
⬆️ #Vidar 184 (59)
⬆️ #Stealc 176 (49)
⬆️ #Amadey 160 (91)

Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=240325

#Cybersecurity #infosec

"Amenințări avansate: KONNI Campanie curentă de phishing" published by RODNSC. #AsyncRAT, #Konni, #LNK, #DPRK, #CTI https://dnsc.ro/citeste/amenintari-avansate-konni-campanie-curent-de-phishing

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: https://jsac.jpcert.or.jp.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/mirrorface

"Konni의 최신 AsyncRAT 공격: LNK 파일을 활용한 감염 기법" published by ENKI. #AsyncRAT, #Konni, #LNK, #DPRK, #CTI https://www.enki.co.kr/media-center/blog/konni-s-asyncrat-attack-lnk-based-infection

A new campaign, dubbed Desert Dexter, is targeting the Middle East & North Africa, impacting ~900 victims since fall '24! 😱 They're using social media & altered AsyncRAT malware to steal data & crypto. Watch out for malicious ads & file-sharing links! ⚠️ #cybersecurity #malware #AsyncRAT #DesertDexter #newz

https://thehackernews.com/2025/03/desert-dexter-targets-900-victims-using.html

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

https://securelist.com/gitvenom-campaign/115694/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Ultimately #asyncrat and #hvnc:

mathewhvnc.twilightparadox\.com
kjhvnc.duckdns\.org
rtasyn.duckdns\.org
asyncyam.twilightparadox\.com

Happy Wednesday everyone!

The #AsyncRAT is made headlines in a report published by the Forcepoint X-Labs research team. A significant finding was that the malware leveraged payloads delivered through suspicious TryCloudflare quick tunnels and Python packages. While I am familiar with Python packages being weaponized during a supply chain attack, the topic of quick tunnels eluded me. So, I looked it up and found that "Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost." [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/]

This was interesting as it seemed to be a workaround or possibly a replacement for domain generating algorithms (DGAs). And if I am misunderstanding this technology, someone please enlighten me!

Behaviors:
Initial Access:
Phishing: Spearphising Link - T1566.002

Execution:
Command And Scripting Interpreter: JavaScript - T1059.007
- A javascript was executed after an LNK file was delivered and executed and links to a .BAT file.

Command And Scripting Interpreter: Windows Command Shell - T1059.003
- A .BAT file is executed that leads to another zip file that contains a python script used to execute the AsyncRAT malware.

Command And Scripting Interpreter: Python - T1059.006
- A python file is used to execute the AsyncRAT malware.

As usual, go show the authors some love and check out the details I excluded and get hunting on those behaviors! Enjoy and Happy Hunting!

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again
https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

👾 #Lumma, #AgentTesla, and #AsyncRAT became the top uploaded threats in 2024

Explore the most prevalent #malware types and MITRE ATT&CK techniques in ANYRUN's 2024 Malware Trends Report to stay informed and proactive: https://any.run/cybersecurity-blog/malware-trends-2024/?utm_source=mastodon&utm_medium=post&utm_campaign=malware_families2024&utm_content=linktoblog&utm_term=220125

#cybersecurity #infosec