![]() This can scan a data buffer for malware or malicious content. Windows provides a system module called “amsi.dll“ (Antimalware Scan Interface) that has an export function called AmsiScanBuffer(). If either of them is “true”, the program exits immediately. It then checks the value of that assessment in Debugger.IsAttached. In the Main() function, the malware calls the APIs CheckRemoteDebuggerPresent() and IsDebuggerPresent() to check if it is running in a debugger. It decrypts two executable modules from its. Net PE file (origin name “tmp72AF.tmp”) is a malware loader program. It also shows the relationship between relevant processes. The following flowchart roughly describes the entire process of how the phishing campaign delivers and executes AsyncRAT:įigure 2.5 shows a screenshot of the process tree, which explains the workflow from opening the OneNote file to running fresh.bat and to executing the PowerShell code. In this analysis, you will learn about the contents of this attack, such as what kind of phishing email starts the campaign, how a malicious Microsoft OneNote file is involved in the campaign, how it is leveraged to download and execute malicious files on the victim’s device, the kinds of techniques that enable it to evade detection and analysis, and how the malware – AsyncRAT – communicates with its C2 server, including what control commands it supports to fully control the victim’s device. Impact: Fully control the victim’s computerĪ couple of phishing campaigns that recently caught FortiGuard Labs’ attention were found sending phishing emails with attached malicious Microsoft OneNote files to spread the AsyncRAT malware.Īs a cybersecurity researcher, I conducted an in-depth analysis of these phishing campaigns, tracing the entire process from the initial phishing email to the final deployment of AsyncRAT, which gains complete control of the victim's device. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |