Threat Watch

Hackers Using New Evasive Technique to Deliver AsyncRAT Malware

A malware campaign believed to have been started in September of 2021 has been observed using a new delivery technique to deliver the AsyncRAT trojan. AsyncRAT is a well-known Remote Access Trojan that is open source and used by various threat actors to control infected systems.

The malware campaign is initially being delivered through a simple phishing email tactic that contains an HTML attachment. When a user opens the HTML attachment, they are redirected to a web page that prompts them to save an ISO file. However, unlike other attacks where the next stage malware is hosted on a phishing domain, the HTML file uses JavaScript to create the ISO file locally from a Base64-encoded string located in the HTML itself. This makes it so the malware does not need to make any network connections to download the next payload, allowing it to evade layers of network-based controls.

Once the ISO file has been downloaded and executed, it will mount as a DVD drive on the Windows host and contains either a BAT or VBS file. Once this file is executed, the next stage is retrieved via a PowerShell command execution. From there, the AsyncRAT payload is retrieved and executed in memory, along with ancillary files that set up Windows Defender exclusions and check for any anti-virus (AV) solutions present on the machine.


Since the initial infection vector is from an HTML attachment in a phishing email, having appropriate email security controls, such as AV scanning and attachment sandboxing, can help prevent malicious emails from reaching end users’ mailboxes. Proper end user training can also help users be able to identify and remove phishing emails that do end up making it to their mailbox. While the ISO file stage of the malware does not make any network connections, other stages, such as the PowerShell stage, do callout to a domain. Due to this, having proper network-based security controls in place can still help prevent this malware from infecting a system by stopping the infection farther down the chain. Likewise, proper endpoint logging and monitoring can help detect the infection chain used by this campaign, due to its use of commonly abused processes and abnormal process chains. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection and monitoring needs.