Hackers have been targeting major US infrastructure management companies with remote access Trojans for almost a year, new research shows.
Cybersecurity researchers at AT&T's Alien Labs discovered a “spike in phishing emails targeting specific individuals at certain companies.”
After further inspection, researchers determined that the attackers intended to leverage AsyncRat, an open-source remote access tool for Windows that has been in circulation since 2019.
Unknown attackers
“The victims and their companies are carefully selected to increase the impact of the campaign. Some of the identified targets operate key infrastructure in the US,” the researchers said.
When installed on the target endpoint, AsyncRAT provides the attackers with a wide range of features, including remote command execution, keylogging, data exfiltration, and malware deployment.
Over the past eleven months, hackers have used more than 100 domains to distribute the phishing email with a GIF attachment. This attachment leads to an SVG file that downloads obfuscated JavaScript and PowerShell scripts. More than 300 unique loader samples were identified in the same time frame. Each version has minor changes to code structure, obfuscation, variable names and values.
Additionally, the attackers used a domain generation algorithm (DGA) to generate a new C2 domain every Sunday. The domains follow a specific structure, the researchers explain. They are in the “top” TLD, use eight random characters and are registered on Nicenic.net. They use South Africa for the country code and are all hosted on DigitalOcean.
However, investigators could not determine the identity of the attackers because they “value discretion”, it was said. Apparently, the hackers put in quite a bit of effort to cover up the malware samples.
While infrastructure companies are always a high-value target regardless of the attackers' motives, researchers believe these threat actors wanted to use them to increase the impact of their campaign.
Through BleepingComputer