Saturday04 February 2023

Phishing Campaign Leverages New Technique to Evade Detection

Reading time is around minutes.

Researchers at Morphisec have detailed a new delivery type for AsyncRAT (Remote Access Trojan) used in part of a phishing campaign that has been running since at least September 2021. The phishing part of the campaign is routine, an email with an HTML attachment. The attachment looks like a receipt. When opened, the victim is directed to a webpage that asked them to save a file (an ISO file). On the surface it looks like it would be a regular file download that will go through common security channels. However, things turn out not to be what they expected (read that in Morgan Freeman’s voice).

Instead the developers of this new technique have the IOS built inside the web browser using JavaScript that is inside the original attachment. There is no download, so no traffic is interrogated by network scanners and most antimalware agents ignore this HTML file as well. The actual delivery is much more complex than a simple download. The delivery method is via a Base64 Encoded string which contains a base64toblob function that uses the Base64 encoded string as an input. Here things are decoded and converted to a byte array. The byte array created the blob with a mime type of application/octet-stream.

In simplified terms, the JavaScript in the HTML attachment leverages a base64 encoded string to make the users think that IOS is being downloaded from a site. However, it is actually being created locally as part of the based64 string directly on the target system.

When the targeted user opens the ISO, it immediately gets mounted as a DVD drive, and executes the next part of the attack. This is typically a .bat or .vbs file that is part of the automount. We have more obfuscated code (PowerShell) that creates a scheduled task as a persistence mechanism, executes another dropped .vbs file, unpacks a Base64 encoded and compressed .NET Module, and finally injects the .NET module into memory.

Our new friend the .NET dropper now running safely in memory pulls down three more files. These three files are each more evasive tactics to hide what’s really going on. There is even a function to check for antimalware solutions on the device and create exclusions in Windows Defender. The injection process also cleans up after itself to avoid leaving artifacts for detection. Once we are through all the downloading fun the result is a nice shiny new copy of AsyncRAT on your device. It is likely that it could be used for other purposes as well and probably will be due to its currently low detection rates.

This technique is clearly designed to get around legacy antimalware and has a chance of getting around newer antimalware as well if it is not configured properly. This type of campaign shows how vital security culture training is. Everyone must think of security as a part of day-to-day operations. Being sent a file that you are not expecting should not trigger a “let’s download it” response. It should trigger a response of confirm the email and file via a different method. If it is not confirmed, report it and delete it.
Stay safe out there.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.