{"id":7011,"date":"2021-09-28T18:04:10","date_gmt":"2021-09-29T01:04:10","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7011"},"modified":"2024-08-07T12:19:03","modified_gmt":"2024-08-07T19:19:03","slug":"fake-delivery-emails-deliver-asyncrat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/fake-delivery-emails-deliver-asyncrat\/","title":{"rendered":"Fake Delivery Emails Deliver AsyncRAT"},"content":{"rendered":"

Author: Avinash Shende<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 24 September, Infoblox observed a malicious email campaign distributing the remote access trojan (RAT) AsyncRAT, which has also been used in ongoing cyberattacks on the aviation industry.1 AsyncRAT is being propagated via a weaponized executable attached to emails made to appear to be coming from DHL.<\/p>\n

AsyncRAT, also known as RevengeRAT, is designed to remotely monitor and control an infected computer through a secure, encrypted connection. It can be dropped by other malware, downloaded, or received as an email attachment.<\/p>\n

2. Customer impact<\/h3>\n

Cyber criminals use AsyncRAT to log keystrokes, install ransomware and trojans, monitor an infected machine and manage its files, and steal sensitive personal and financial information. AsyncRAT is powerful enough to steal a victim\u2019s identity and cause financial loss.<\/p>\n

3. Campaign analysis<\/h3>\n

Emails in this campaign are designed to appear to come from support@dhl[.]com,<\/em> have no body, and contain an attachment: a RAR file called Consignment Documents.rar<\/em>. The From name in the emails is DHL EXPRESS<\/em>, and the subject line is Consignment Notification: You Have A Package With Us<\/em>.<\/p>\n

4. Attack chain<\/h3>\n

Upon execution, AsyncRAT tries to detect sandboxes and other dynamic analysis tools on a victim\u2019s machine. It then drops tgrwreswfky.dll<\/em>, a malicious DLL file used to modify and delete registry keys, to c:\\Users\\user\\AppData\\Local\\Temp\\nst613E.tmp\\<\/em>. It then creates a new process and injects itself into the process running in memory. The new process then tries to establish communication with its command and control (C&C) server and requests further instructions from the threat actor.<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

Infoblox recommends the following actions for reducing the risk of infection by AsyncRAT:<\/p>\n