The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel The pixel

Async Attack Observed in Obfuscated Email Attachment

In March, the Cerium SOC team detected and prevented a multi-stage ASync RAT infection. The attack originated from a malicious PDF file attached to an email from “no-reply@ctn-slngs[.]com”. The victim clicked on a link embedded in the PDF file, which triggered a PowerShell script. The script reached out to “hxxp://45[.]154[.]98[.]24:222/q[.]jpg”, a self-extracting, compressed file hidden as a picture.

After some extensive investigation into the source and performing forensic analysis on the malicious attachment, the SOC discovered the URL and binary is associated with Async RAT, a type of Remote Access Trojan (RAT) that uses secure encrypted connections to remotely control and check computers. Alongside these capabilities, it also incorporates features such as keylogging and remote desktop control, posing potential harm to the victim’s system. Delivery methods for this RAT include spear phishing, malvertising, and exploit kits.

The attacker obfuscated the malicious link and loader in a way that bypassed the client’s email security. Thankfully, our client’s endpoint security stopped the PowerShell Script from calling the download of the ASync payload and alerted the SIEM. Within less than an hour, Cerium SOC responded to the alert, analyzed the email and attachment for added threat intelligence, and escalated the incident to the client.

Our client quickly isolated the user and device, and eradicated malicious email from the rest of the mail server. They also blacklisted the attacker email and payload address. More investigations concluded that the SOC team successfully stopped the attack before infection occurred, and no client data was compromised in the incident.

Recent Posts

PuTTY SSH Client Flaw

CVE-2024-31497 is a vulnerability in PuTTY versions 0.68 through 0.80. PuTTY is a popular open-source terminal emulator, serial console, and network file transfer application that

Read More »


“Darcula” represents a new breed of Phishing-as-a-Service (PaaS) posing a serious threat to both Apple and Android users. This sophisticated attack leverages encrypted text messages

Read More »
For Emergency Support call: (877) 423-7486
For other support requests or to access your Cerium 1463° portal click here
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!