Cyble Research and Intelligence Labs (CRIL) has uncovered a stealthy campaign that uses malicious LNK files disguised as seemingly innocent wallpapers to deliver AsyncRAT—an infamous remote access trojan (RAT).
This attack chain is designed to exploit various vulnerabilities, utilizing sophisticated techniques to evade detection and achieve persistence on the victim’s system. With advanced evasion methods like Null-AMSI, this campaign has the potential to bypass traditional security measures, posing a cyber risk to users worldwide.
Overview of the AsyncRAT Campaign
Cyble Research and Intelligence Labs have traced the origins of this campaign to a Portuguese-speaking threat actor. Evidence in the form of comments and error messages within the malicious scripts indicates that the attackers are likely native to a Portuguese-speaking region, potentially leveraging this to avoid detection or forensic analysis.
The campaign’s infection method is deceptively simple: attackers exploit the victim’s interests by offering a wallpaper featuring popular characters like Sasuke Uchiha from Naruto—or other anime characters like Itachi Uchiha—through a malicious LNK shortcut. These LNK files, once executed, unleash a multi-stage malware attack, eventually deploying AsyncRAT for remote control of the victim’s machine.
Upon activation, the LNK file runs an obfuscated PowerShell script that connects to external servers to retrieve additional malicious payloads. These payloads execute directly in memory, ensuring that they don’t leave traces on the disk, making it harder for antivirus software to detect them. The payloads downloaded by these scripts are encrypted and compressed, further hindering security researchers from analyzing them.
The Role of Null-AMSI
One of the most concerning aspects of this campaign is the use of Null-AMSI, an open-source tool that allows the attackers to bypass the AMSI—an important security feature built into Windows to detect and block malicious scripts. Null-AMSI enables malware to evade detection by disabling AMSI and ETW. This tool is critical for the attackers as it ensures their payloads can execute without triggering security alerts.
Using techniques such as reflection and native .NET functions, Null-AMSI manipulates memory in real-time to bypass AMSI protections. The attackers exploit these memory manipulations to patch key system functions, thus avoiding detection and allowing their malware to run freely in the background without being flagged by security software.
Infection Chain and Payload Delivery
The infection chain begins when the victim unknowingly executes the malicious LNK file, often disguised as a sasuke wallpaper.lnk. This file executes an obfuscated PowerShell script via the command line, which fetches a secondary payload from an external URL and executes it directly in memory. This initial payload is an important step in the infection chain, as it retrieves more files, including batch scripts responsible for ensuring the malware’s persistence.
Once the malware payload is downloaded, it further obfuscates its actions by employing AES encryption and GZIP compression. This makes it extremely difficult for security solutions to detect the malware before it is executed. Upon successful decryption and decompression, the final stage of the malware deployment involves the AsyncRAT payload, which is responsible for giving the attacker full remote control over the compromised system.
Technical Deep Dive
The attacker’s use of AsyncRAT is crucial to the campaign’s success. AsyncRAT allows the threat actor to steal sensitive data, install additional malware, and execute arbitrary commands on the victim’s machine. The final payload is carefully hidden within encrypted files, such as a sasuke wallpaper, which serves as the lure to distract the victim. The wallpaper file contains hidden Base64-encoded malicious content that activates in the background, ultimately delivering the AsyncRAT payload.
The output.bat file is a particularly important part of this attack. It is highly obfuscated and contains Base64-encoded PowerShell code that, when executed, retrieves another PowerShell script designed to bypass AMSI and ETW. This step is crucial in ensuring that the attack is not detected by traditional security tools.
Once the malware executes, it alters the system’s memory protections and patches key system functions, effectively disabling the AMSI and ETW. This ensures that the malicious activity remains hidden from security programs, allowing the attackers to maintain control over the system.
Reflection Loading and Persistence
The final step in the infection chain involves reflection loading, a technique where the malware executes code directly within PowerShell memory. This allows the attackers to inject malicious code into memory without writing it to disk, making detection even more difficult. The AsyncRAT loader ensures persistence by copying itself to the startup folder, ensuring that it runs every time the system starts.
Once the AsyncRAT payload is loaded, it establishes control over the victim’s system, allowing the attacker to remotely control the machine, steal data, install additional malware, or launch further attacks.
Bypassing Traditional Security Measures
The campaign’s use of Null-AMSI and other advanced techniques demonstrates a growing trend in the cyber threat landscape: attackers are increasingly leveraging sophisticated tools to bypass traditional security measures. By exploiting vulnerabilities in PowerShell, AMSI, and ETW, the attackers are able to stealthily deploy AsyncRAT without triggering any security alerts.
The encryption and compression techniques further complicate the analysis, as the malicious payloads are hidden until they are decrypted and executed dynamically. This makes it difficult for security tools to catch the attack before it is fully deployed.
Conclusion
This campaign highlights the growing sophistication of cyberattacks, where advanced evasion techniques, like Null-AMSI, allow attackers to bypass traditional security and stealthily execute malware like AsyncRAT.
To protect against these threats, users should avoid downloading files or clicking links from untrusted sources. Antivirus and endpoint solutions must detect AMSI bypass techniques, and PowerShell policies should restrict unauthorized scripts. Regular network monitoring and timely system updates are essential for patching vulnerabilities.
Organizations should also educate users about phishing, social engineering, and safe browsing to reduce the risk of such attacks. Cyble, a leader in AI-powered cybersecurity, provides advanced threat intelligence through its Cyble Vision platform. This enables real-time monitoring and proactive defense, helping organizations stay protected from cyber threats.
