This sneaky malware has been attacking major US infrastructure for nearly a year

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Hackers have been targeting major US infrastructure management companies with remote access trojans for almost a year now, new research has claimed.

Cybersecurity researchers from AT&T’s Alien Labs discovered a "spike in phishing emails, targeting specific individuals in certain companies". 

After a closer inspection, the researchers determined that the attackers were looking to deploy AsyncRat, an open-source remote access tool for Windows that has been in circulation since 2019. 

Unidentified attackers

“The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the U.S,” the researchers said.

When installed on the target endpoint, AsyncRAT allows the attackers a wide variety of features, including remote command execution, keylogging, data exfiltration, and malware deployment. 

Over the course of the last 11 months, hackers have used more than 100 domains to distribute the phishing email that carries a GIF attachment. This attachment leads to an SVG file that downloads obfuscated JavaScript and PowerShell scripts. There were more than 300 unique samples of the loader identified in the same timeframe. Each version has minor changes in code structure, obfuscation, variable names, and values. 

Furthermore, the attackers used a domain generation algorithm (DGA) to generate a new C2 domain every Sunday. The domains follow a specific structure, the researchers explained. They are in the “top” TLD, use eight random characters, and are registered in Nicenic.net. They use South Africa for the country code, and are all hosted on DigitalOcean. 

The researchers could not determine the identity of the attackers though, as they “value discretion,” it was said. Apparently, the hackers made quite the effort to obfuscate the malware samples. 

While infrastructure firms are always a valuable target regardless of the attackers’ motives, the researchers believe these threat actors wanted to use them to broaden the impact of their campaign.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.