New RAT malware evades detection using JavaScript code embedded in HTML receipt files instead of downloading an ISO file from remote servers

Cybersecurity specialists report the detection of a new phishing campaign dedicated to the delivery of the AsyncRAT Trojan hidden in an HTML attachment. This malware allows threat actors to monitor affected systems and even control them remotely through an encrypted and undetectable connection for victims.

The infection starts with a simple email containing an HTML attachment disguised as an order confirmation receipt, so target users don’t usually distrust the message. When opening the file, the user will be redirected to a web page where they will be asked to save an ISO file.

At this point, this campaign differs from other phishing attacks in that the malicious website does not store a malware payload, but uses JavaScript creatively to locally create the ISO file from a Base64-encoded string, mimicking a legitimate download process.

Michael Dereviashkin, the researcher in charge of the report, points out that the ISO download is not generated from a remote server, but from the victim’s browser using a JavaScript code embedded in the HTML file: “If the target user opens the ISO file, it is automatically mounted as a DVD drive on the Windows host and includes a . BAT or .VBS, which continues the chain of infection by recovering a malicious component through the execution of a PowerShell command,” says the expert.

This process leads to the execution of an in-memory .NET module that subsequently acts as a three-file dropper; the first acts as a trigger for the second file, which will eventually deliver AsyncRAT as the final payload and check if there is an antivirus solution on the affected system to establish some exemptions.

Dereviashkin adds that malware samples like AsyncRAT are typically used to establish a remote link between a threat actor and a target device, allowing hackers to steal information and surveil victims using their devices’ cameras and microphones, essentially making it a spying tool.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.