Full Report
Cyble Research and Intelligence Labs (CRIL) has uncovered a stealthy campaign that uses malicious LNK files disguised as seemingly innocent wallpapers to deliver AsyncRAT—an infamous remote access trojan (RAT). This attack chain is designed to exploit various vulnerabilities, utilizing sophisticated techniques to evade detection and achieve persistence on the victim's system. With advanced evasion methods like Null-AMSI, this campaign has the potential to bypass traditional security measures, posing a cyber risk to users worldwide. Overview of the AsyncRAT Campaign Cyble Research and Intelligence Labs have traced the origins of this campaign to a Portuguese-speaking threat actor. Evidence in the form of comments and error messages within the malicious scripts indicates that the attackers are likely native to a Portuguese-speaking region, potentially leveraging this to avoid detection or forensic analysis. [caption id="attachment_101003" align="alignnone" width="761"] Infection chain (Source: Cyble)[/caption] The campaign's infection method is deceptively simple: attackers exploit the victim’s interests by offering a wallpaper featuring popular characters like Sasuke Uchiha from Naruto—or other anime characters like Itachi Uchiha—through a malicious LNK shortcut. These LNK files, once executed, unleash a multi-stage malware attack, eventually deploying AsyncRAT for remote control of the victim's machine. Upon activation, the LNK file runs an obfuscated PowerShell script that connects to external servers to retrieve additional malicious payloads. These payloads execute directly in memory, ensuring that they don't leave traces on the disk, making it harder for antivirus software to detect them. The payloads downloaded by these scripts are encrypted and compressed, further hindering security researchers from analyzing them. The Role of Null-AMSI [caption id="attachment_101004" align="alignnone" width="391"] Malicious LNK file (Source: Cyble)[/caption] One of the most concerning aspects of this campaign is the use of Null-AMSI, an open-source tool that allows the attackers to bypass the AMSI—an important security feature built into Windows to detect and block malicious scripts. Null-AMSI enables malware to evade detection by disabling AMSI and ETW. This tool is critical for the attackers as it ensures their payloads can execute without triggering security alerts. Using techniques such as reflection and native .NET functions, Null-AMSI manipulates memory in real-time to bypass AMSI protections. The attackers exploit these memory manipulations to patch key system functions, thus avoiding detection and allowing their malware to run freely in the background without being flagged by security software. Infection Chain and Payload Delivery [caption id="attachment_101006" align="alignnone" width="375"] Lure Image (Source: Cyble)[/caption] The infection chain begins when the victim unknowingly executes the malicious LNK file, often disguised as a sasuke wallpaper.lnk. This file executes an obfuscated PowerShell script via the command line, which fetches a secondary payload from an external URL and executes it directly in memory. This initial payload is an important step in the infection chain, as it retrieves more files, including batch scripts responsible for ensuring the malware’s persistence. [caption id="attachment_101008" align="alignnone" width="296"] Lure Image 2 (Source: Cyble)[/caption] Once the malware payload is downloaded, it further obfuscates its actions by employing AES encryption and GZIP compression. This makes it extremely difficult for security solutions to detect the malware before it is executed. Upon successful decryption and decompression, the final stage of the malware deployment involves the AsyncRAT payload, which is responsible for giving the attacker full remote control over the compromised system. Technical Deep Dive The attacker’s use of AsyncRAT is crucial to the campaign’s success. AsyncRAT allows the threat actor to steal sensitive data, install additional malware, and execute arbitrary commands on the victim’s machine. The final payload is carefully hidden within encrypted files, such as a sasuke wallpaper, which serves as the lure to distract the victim. The wallpaper file contains hidden Base64-encoded malicious content that activates in the background, ultimately delivering the AsyncRAT payload. The output.bat file is a particularly important part of this attack. It is highly obfuscated and contains Base64-encoded PowerShell code that, when executed, retrieves another PowerShell script designed to bypass AMSI and ETW. This step is crucial in ensuring that the attack is not detected by traditional security tools. Once the malware executes, it alters the system’s memory protections and patches key system functions, effectively disabling the AMSI and ETW. This ensures that the malicious activity remains hidden from security programs, allowing the attackers to maintain control over the system. Reflection Loading and Persistence The final step in the infection chain involves reflection loading, a technique where the malware executes code directly within PowerShell memory. This allows the attackers to inject malicious code into memory without writing it to disk, making detection even more difficult. The AsyncRAT loader ensures persistence by copying itself to the startup folder, ensuring that it runs every time the system starts. Once the AsyncRAT payload is loaded, it establishes control over the victim's system, allowing the attacker to remotely control the machine, steal data, install additional malware, or launch further attacks. Bypassing Traditional Security Measures The campaign’s use of Null-AMSI and other advanced techniques demonstrates a growing trend in the cyber threat landscape: attackers are increasingly leveraging sophisticated tools to bypass traditional security measures. By exploiting vulnerabilities in PowerShell, AMSI, and ETW, the attackers are able to stealthily deploy AsyncRAT without triggering any security alerts. The encryption and compression techniques further complicate the analysis, as the malicious payloads are hidden until they are decrypted and executed dynamically. This makes it difficult for security tools to catch the attack before it is fully deployed. Conclusion This campaign highlights the growing sophistication of cyberattacks, where advanced evasion techniques, like Null-AMSI, allow attackers to bypass traditional security and stealthily execute malware like AsyncRAT. To protect against these threats, users should avoid downloading files or clicking links from untrusted sources. Antivirus and endpoint solutions must detect AMSI bypass techniques, and PowerShell policies should restrict unauthorized scripts. Regular network monitoring and timely system updates are essential for patching vulnerabilities. Organizations should also educate users about phishing, social engineering, and safe browsing to reduce the risk of such attacks. Cyble, a leader in AI-powered cybersecurity, provides advanced threat intelligence through its Cyble Vision platform. This enables real-time monitoring and proactive defense, helping organizations stay protected from cyber threats.
Analysis Summary
# Tool/Technique: AsyncRAT
## Overview
AsyncRAT is a sophisticated Remote Access Trojan (RAT) utilized by threat actors to gain remote control over compromised systems. This specific attack campaign leverages advanced evasion techniques, such as the Null-AMSI bypass, to deploy the malware stealthily without being detected by traditional security controls, enabling remote access and command execution.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Not explicitly detailed, but RATs typically target Windows environments where PowerShell and AMSI are prevalent.
- Capabilities: Remote control, file operations, process management, data exfiltration, and evasion of security mechanisms.
- First Seen: Not specified in the context, but the article is dated February 21, 2025.
## MITRE ATT&CK Mapping
The description focuses heavily on the loading and execution phases involving evasion techniques, primarily associated with:
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Via encryption and compression techniques complicating analysis)
- **T1055 - Process Injection** (Often a common technique for RAT deployment, though not explicitly detailed here)
- **TA0011 - Command and Control**
- (Implied by being a RAT, leading to C2 communication)
## Functionality
### Core Capabilities
- Establishing remote access to the victim's machine.
- Executing commands remotely.
- Stealthy deployment through execution environment manipulation.
### Advanced Features
- Utilizes encryption and compression techniques to obfuscate the malicious payload, hindering static analysis.
- Deploys using sophisticated mechanisms like PowerShell exploitation and AMSI bypasses to ensure execution fidelity.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not provided in the article]
- Network Indicators: [Not provided in the article (C2 details are suppressed)]
- Behavioral Indicators:
- Use of PowerShell scripts that exhibit AMSI bypass behavior.
- Dynamic decryption and execution of hidden malicious payloads.
## Associated Threat Actors
- [Threat actors using this specific campaign involving Null-AMSI are not explicitly named in the summary text provided.]
## Detection Methods
- **Signature-based detection:** Difficult due to dynamic decryption and obfuscation.
- **Behavioral detection:** Detection engines must be configured to detect AMSI bypass techniques within PowerShell execution.
- **YARA rules:** [Not provided in the article]
## Mitigation Strategies
- **Prevention measures:** Avoid downloading files or clicking links from untrusted sources.
- **Hardening recommendations:**
- Implement robust antivirus and endpoint solutions capable of detecting AMSI bypass techniques.
- Restrict unauthorized script execution via strict PowerShell policies.
- Conduct regular network monitoring.
- Ensure timely system updates to patch underlying vulnerabilities (e.g., in PowerShell or ETW).
- Educate users about phishing, social engineering, and safe browsing practices.
## Related Tools/Techniques
- **Null-AMSI:** The specific technique used to bypass the Antimalware Scan Interface (used heavily in this deployment).
- **PowerShell Exploitation:** The primary execution vector utilized by the threat actors.
***
# Tool/Technique: Null-AMSI Bypass
## Overview
Null-AMSI is an advanced security evasion technique used primarily in PowerShell environments to disable or bypass the Antimalware Scan Interface (AMSI). By successfully employing this technique, attackers can load and execute obfuscated or encrypted malicious content (like AsyncRAT payloads) without it being scanned or blocked by runtime security solutions leveraging AMSI for deep content inspection.
## Technical Details
- Type: Technique/Evasion Method
- Platform: Primarily Windows operating systems utilizing the native PowerShell engine.
- Capabilities: Disabling or neutralizing AMSI scanning capabilities at runtime, allowing malicious scripts to execute unimpeded.
- First Seen: Not specified in the article, but noted as a growing trend.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Enables execution after bypass)
- **T1564.003 - Hide Artifacts: Hidden Files and Directories** (Often used in conjunction with obfuscation)
- **TA0007 - Discovery**
- **T1082 - System Information Discovery** (The bypass allows subsequent discovery commands to run)
## Functionality
### Core Capabilities
- Manipulating memory structures associated with AMSI initialization to achieve NULL functionality references.
- Allowing scripts to run that would otherwise be flagged during static or dynamic inspection via AMSI hooks.
### Advanced Features
- Exploiting underlying vulnerabilities in PowerShell and the Event Tracing for Windows (ETW) mechanism to hide activity and ensure the bypass persists during execution.
- Used specifically to deploy high-value malware like AsyncRAT.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not provided in the article]
- Network Indicators: [Not provided in the article]
- Behavioral Indicators:
- PowerShell sessions demonstrating initialization sequences characteristic of AMSI disabling routines.
- Execution of known malicious payloads immediately following an environmental manipulation indicative of a bypass.
## Associated Threat Actors
- [Threat actors leveraging this specific evasion method are not named, only that they are sophisticated.]
## Detection Methods
- **Signature-based detection:** Difficult, as the technique relies on legitimate system functions being leveraged incorrectly.
- **Behavioral detection:** Monitoring the integrity of system processes and the sequence of PowerShell environment startup calls for unexpected modifications to security interfaces (AMSI).
- **YARA rules:** [Not provided in the article]
## Mitigation Strategies
- **Prevention measures:** Keep operating systems and host security solutions patched, address underlying vulnerabilities in PowerShell/ETW.
- **Hardening recommendations:**
- Implement application whitelisting to limit unauthorized PowerShell execution.
- Strictly enforce PowerShell logging policies (Module, Script Block, Transcription) to capture post-bypass activity, if possible.
- Use endpoint solutions focused on in-memory behavior analysis rather than relying solely on AMSI hooks.
## Related Tools/Techniques
- **AsyncRAT:** The malware payload frequently deployed using this method in this context.
- **PowerShell Abuse:** General techniques related to scripted execution on Windows.