In recent months, security researchers have turned their attention to Asgard Protector, a sophisticated crypter employed by cybercriminals to obfuscate and deploy malicious payloads.
First advertised on underground forums in late 2023, Asgard Protector has gained traction among threat actors for its seamless integration with popular C2 platforms such as LummaC2.
By wrapping infostealers and remote access trojans within seemingly benign installers, Asgard Protector undermines traditional antivirus defenses and complicates incident response efforts.
The toolkit typically arrives as a Nullsoft self-extracting archive that, upon execution, unpacks several hidden components into the temporary directory.
SpyCloud analysts noted that this installer disguises its batch script with mismatched file extensions—for example, renaming a .bat file to Belgium.pst—and employs obfuscation techniques to hide its true purpose.
Once extracted, the installer assembles an AutoIt interpreter binary in memory, leveraging pieces from embedded CAB archives to reconstruct the executable before launching the next stage.
SpyCloud analysts identified additional layers of evasion within the embedded AutoIt scripts. Encrypted payloads are stored inside the script and only decrypted in memory using an RC4 routine.
The script then decompresses the binary using the LZNT1 algorithm before performing a process injection into explorer.exe, effectively hiding the malicious process under a trusted system host.
.webp)
A unique sandbox-detection mechanism further complicates analysis: the script issues a ping to a randomly generated domain and exits if any response is received, indicating a monitored or emulated network environment.
After this unpacking and validation, the malicious payload gains persistence by modifying autorun registry keys or deploying scheduled tasks, depending on the operator’s configuration.
The combination of in-memory decryption, compression, and sandbox checks enables Asgard Protector to slip past endpoint defenses and execute without dropping a traditional executable on disk.
Infection Mechanism
Delving deeper into the infection mechanism reveals how Asgard Protector engineers its defense evasion.
The Nullsoft installer script leverages a simple yet effective obfuscation:-
findstr /b /r /c:"MZ" *.dat > offset.txt
for /f "tokens=1" %%A in (offset.txt) do set /A start=%%A
certutil -decode input.cab temp.exe
fsutil file createnew stub.bin %start%
more +%start% input.cab >> stub.bin.webp)
In this snippet, the script locates the “MZ” header within a CAB archive to determine where the PE header begins.
It then concatenates the extracted data past that offset to reconstruct the AutoIt binary. Once assembled, the script executes a companion AutoIt script that handles RC4 decryption and LZNT1 decompression before injecting the resulting payload into memory.
This piecemeal assembly and execution model allows the malware to evade signature-based antivirus engines and thwart disk-based inspection tools.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
