Trojan:JS/AsyncRat!MSR

This JavaScript-based component functions as a sophisticated downloader and loader, initiating a sequence that ultimately deploys the fully featured AsyncRAT Remote Access Trojan (RAT), which is a .NET-based payload. Infection typically begins with a phishing email containing a malicious link or attachment. This leads to the delivery of an initial file, often an HTML Application (.HTA), a Windows Script File (.WSF), or an ISO image file. For example, one campaign involved an HTML file that extracted an ISO, which in turn contained a malicious WSF script. 

Once launched, the JavaScript file connects to a remote server to retrieve the next stage of the attack.  

This often involves downloading a PowerShell script from a Command and Control (C2) server, such as from the URL http://45[.]12.253[.]107[:]222/f[.]txt observed in one campaign. This PowerShell script then orchestrates the deployment of additional files into Windows directories like C:\ProgramData\xral\. A series of scripts including further PowerShell, VBScript, and Batch files, launching in sequence to decode, assemble, and inject the final AsyncRAT payload. To evade file-based detection, the final payload is often injected directly into the memory of a legitimate Windows process. Common targets for this process hollowing include RegSvcs.exe (the Microsoft .NET Services Installation Utility) and aspnet_compiler.exe.  

To maintain access, the malware establishes persistence on the compromised device. If executed with administrative privileges, it commonly creates a Windows Scheduled Task, for instance named cafee. Without admin rights, it will create a run entry in the Windows Registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The malware also employs several anti-analysis and evasion techniques. These include checking for virtual machine environments using WMI queries, looking for sandbox artifacts like SbieDll.dll, checking disk size, and verifying the presence of a debugger. 

The final AsyncRAT payload, once active, provides attackers with extensive control and surveillance capabilities. Its features include keylogging, recording keystrokes to files like log.tmp in the temporary directory; capturing audio and video from webcams; stealing credentials and data from web browsers; and full remote desktop control. The malware exfiltrates this stolen data over an encrypted channel to its C2 server. Observed C2 communications have involved IP addresses such as 45[.]12.253[.]107 on port 8808 and 43[.]138.160[.]55 on port 6606. Recent campaigns have also exploited legitimate infrastructure for payload delivery and C2 operations, including TryCloudflare tunnels and services like Paste[.]ee. Threat actors abuse these platforms to host subsequent malicious scripts, with observed URL patterns following structures like https://paste[.]ee/d/[a-z]/[A-Za-z0-9]+/0$.