Trojan:PowerShell/Asyncrat.KA!MTB

The Trojan:PowerShell/Asyncrat.KA!MTB runs a sophisticated multi-stage infection process designed to evade security detection. Initial compromise occurs when a user opens a malicious file, such as a deceptive HTML application or OneNote attachment distributed through phishing campaigns. This file contains or retrieves an obfuscated PowerShell script that functions as the primary downloader. This script communicates with a remote command-and-control server, using standard web protocols to obtain the next stage payload; documented examples show connections to IP addresses including 45[.]12.253[.]107 on port 8808. The downloaded payload contains the core AsyncRAT, a .NET binary that often carries a harmless-seeming filename. 

It employs multiple persistence mechanisms to survive Windows reboots. A common method involves the creation of a scheduled task through the schtasks.exe system utility, configured with a deceptive name such as "Skype Updater" to launch at user logon. When elevated privileges are absent, AsyncRATcreates an entry in the Windows Registry Run key, specifically HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to ensure automatic payload launch. 

A fundamental evasion technique involves process injection to hide malicious activity. The final AsyncRAT payload does not run as a separate file but loads into the memory space of trusted Windows processes. Frequent injection targets include RegSvcs.exe (the Microsoft .NET Services Installation Utility) and aspnet_compiler.exe, allowing the malware to operate under the appearance of legitimate Microsoft-signed processes. The scripts incorporate advanced evasion methods that include attempts to deactivate security mechanisms such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). 

After successful deployment, the compromised process establishes an encrypted communication channel with its command-and-control infrastructure using AES encryption. Documented campaigns demonstrate connections to various endpoints, including IP addresses such as 45[.]141.215[.]40 on port 4782 and dynamic DNS domains including 3osch20[.]duckdns[.]org and kozow[.]com, which facilitate command runtime and data exfiltration.