A new AsyncRAT malware campaign from threat actor TA558 is targeting the South American hospitality industry, demanding the attention of travelers and cybersecurity professionals.
The campaign employs a new derivative of AsyncRAT, which is an open-source remote access trojan (RAT) that operates primarily as a credential-stealer and loader for other malware. This latest use case of the malware illustrates how cybercriminals are adopting new techniques to breach computer systems and steal sensitive data.
Below, we walk through how this malware campaign was discovered and analyzed, its likely connection to a known threat group, and provide tips for organizations to combat this malware threat effectively.
The discovery and analysis
Security researchers discovered this new AsyncRAT derivative while analyzing a simple malware sample – a JavaScript (JS) file that appeared to be malicious – and its infection chain. Closer investigation of the sample showed the malware was a downloader of a malicious PowerShell script – obscured to look like a PDF – that was hosted on a compromised web domain. The “PDF” dropped two files: one being a helper dynamic-link library (DLL) and the other being AsyncRAT.
Consistent with how threat actors often distribute AsyncRAT, attackers typically deliver this malware derivative via a phishing email, which will likely contain a hyperlink that downloads a ZIP file from an S3 bucket. Interestingly, research showed the URL hosting the ZIP file ended with a query to Google. This is likely to redirect users to Google after downloading the file, making it appear that nothing out of the ordinary happened. This can also trick network filters that separate URLs with trusted domains. Therefore, if your network explicitly allows a URL containing “Google.com,” it would miss this.
Further inspection of the malware file showed how the “PDF” operates in the malware’s infection chain. The malicious PowerShell script, shrouded as a PDF, contains two binaries, minor obfuscation, and algorithmic bit manipulation. Additional analysis confirmed the malware is a dropper. Among the indicators of compromise were web domains and URLs associated with hotels in South American countries, particularly Brazil and Chile.
Link to known threat group
Broader research indicated this AsyncRAT malware campaign is associated with the threat group TA558. The group, which is believed to operate from Brazil, has a history of hijacking domains and using trusted content delivery networks (CDNs) to distribute loaders and droppers. Email phishing appears to be the group’s preferred attack vector. The group has historically employed myriad RATs, while favoring AsyncRAT recently.
In this malware use case, the threat actor’s methods to obfuscate its downloaders and droppers isn’t novel. They use file manipulation that bypasses basic filters, but once their attacks execute, they tend to be “loud.” The threat actor’s use of “Google.com” queries in the stage 1 download, leveraging compromised domains, and masking PDFs as droppers are attempts to keep the noise down.
How to combat this latest AsyncRAT campaign
A notable characteristic of AsyncRAT malware is its use of encryption and obfuscation methods to avoid detection, which this latest campaign employs. Therefore, it’s important for organizations to adopt a defense-in-depth approach to repel this malware threat.
Organizations must conduct user awareness training to counter phishing and spear-phishing attacks. Gamification methods can make security training more effective and help lessons stick with end users. As always, security training should emphasize the risks of downloading documents or email attachments from unknown sources. Additionally, organizations must leverage advanced endpoint detection and response solutions that can quickly respond to stop the execution of malicious attacks. Using security solutions at the network and host-based levels is crucial to effective security.
Furthermore, it’s critical for IT and security teams to regularly update software and install security patches, use strong access controls and passwords, and routinely back up data. Should an AsyncRAT attack get past initial defenses, containment is important. If a system or device becomes infected, isolate it from the rest of the network and make sure the threat is contained.
While the methods employed in this latest AsyncRAT malware campaign aren’t novel, they have proven to be effective, which is why threat actors continue to use them. The most effective way to prevent AsyncRAT malware attacks is to train users to be skeptical of emails sent from unknown senders and to never open strange email attachments from external entities unless users are certain of the sender and its content. Even the most educated people can fall victim to email phishing tactics, which underscores the importance of having a multilayered security posture.
About the Author
Ryan Estes is an intrusion analyst at WatchGuard Technologies. His research focuses on malware analysis, malware reverse engineering and ransomware threats, and he frequently covers these topics as a contributor to WatchGuard’s Secplicity blog. During his time in the cybersecurity field, he has earned 12 certifications from organizations such as (ISC)², CompTIA, Offensive Security, CWNP, and Saint Louis University (SLU). Ryan holds a bachelor’s in computer science from Southern Illinois University Edwardsville (SIUE), a master’s in cybersecurity from SLU, and is pursuing an MBA with a focus in management information systems at
