Distribution of AsyncRAT Disguised as Ebook

1. Overview

AhnLab SEcurity intelligence Center (ASEC) covered cases of AsyncRAT being distributed via various file extensions (.chm, .wsf, and .lnk). [1] [2]

In the aforementioned blog posts, it can be seen that the threat actor used normal document files disguised as questionnaires to conceal the malware. In a similar vein, there have been cases recently where the malware was disguised as an ebook.

Figure 1. An ebook being distributed with the malware

2. Malware Executed via Scripts

The compressed file disguised as an ebook contains a malicious LNK file disguised with a compressed file icon, a text file containing a malicious PowerShell script, additional compressed files disguised with a video file extension, and a normal ebook file. The LNK file contains malicious commands and reads the RM.TXT file containing the PowerShell script to execute it.

Figure 2. A malicious LNK file disguised with a compressed file icon

RM.TXT consists mostly of meaningless strings to conceal the malicious PowerShell script. The actual script changes the property of the folder containing the downloader malware to hidden and executes an obfuscated script.

Figure 3. RM.TXT containing a malicious PowerShell script

The obfuscated script scans for security products in the system. Based on the scan result, the script executes the malware within the compressed files disguised with a video file extension.

Figure 4. The main logic of the decrypted PowerShell script
Figure 5. Compressed files disguised as video files

2.1. Method1

Figure 6. Part of the Method1 function

The Method1 function decompresses 4.mkv and registers the XML file that executes the “NTUSER.BAT{428f9636-1254-e23e3-ada2-03427pie23}.TM.VBS” script under the name “BitTorrent Certificate” to the Task Scheduler.

The executed VBS file records system information in the file named “WindowsLogFile.txt” and executes the PowerShell script through a batch file (NTUSER.BAT{428f9636-1254-ee23-ada2-080027dede23}.TM.bat).

Figure 7. Part of the PowerShell code that decrypts and executes the data file

The executed PowerShell script (NTUSER.DAT{428f1209-1254-11ef-ada2-080027dede23}.TxR.1.ps1) loads the blf files (NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf and NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf) which are obfuscated PE files and executes AsyncRAT.

2.2. Method2

The Method2 function decompresses 5.mkv and registers the task schedule that executes the VBS script within the compressed file under the name “BitTorrent”. The VBS script executes the AutoHotKey script through the batch file and ultimately downloads AsyncRAT from the URL shown below to run it.

Figure 8. AutoHotKey script

2.3. Method3

The Method3 function decompresses 8.mkv and registers the task schedule that executes the PowerShell script within the compressed file under the name “USER ID Converter”. The PowerShell script is obfuscated in the same way as the RM.TXT file and ultimately executes AsyncRAT in the same directory directly.

3. AsyncRAT

AsyncRAT that is executed in the end has features such as AntiVM, AntiAV, maintaining persistence, and exfiltrating user information. It can also perform various malicious behaviors by receiving commands from the threat actor.

Figure 9. AsyncRAT malware

AsyncRAT has been constantly distributed with various file extensions and methods. Particular caution is advised for users because the type that is disguised as a normal book can not only be distributed via phishing emails but also shared on file-sharing websites.

[File Detection]
– Trojan/Script.Agent.SC200228 (2024.06.25.00)
– Trojan/BAT.Agent.SC200230 (2024.06.25.00)
– Trojan/VBS.Agent.SC200225 (2024.06.25.00)
– Trojan/BAT.Agent.SC200226 (2024.06.25.00)
– Malware/Win.Generic.C5643757 (2024.06.23.03)


– dea45ddf6c0ae0f9f3fde1bfd53bc34f (VideoVLC_subtitles.exe)
– b8d16e9a76e9f77975a14bf4e03ac1ff (RM.TXT)
– 50005f22608e93dff1d9ed18f6be95d3 (Business Secrets from the Bible – Rabbi Daniel Lapin.LNK)
– 1ada2c6796a3486b79c5eb47fce9b19c (worldofprocure.rar)
– 21714b248ab9ca42097a7834251a7452 (NTUSER.vbs{428f9636-1254-e23e3-ada2-03427pie22}.TM.vbs)

C&C Server
– stevenhead.ddns[.]net

Download URL
– hxxps://worldofprocure[.]com/worldofprocure.rar

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Distribution of AsyncRAT Disguised as Ebook appeared first on ASEC BLOG.

Article Link: Distribution of AsyncRAT Disguised as Ebook - ASEC BLOG