In recent months, the Blackpoint security operations center (SOC) team has observed an uptick in ISO file malware. These virtual disks contain malicious executables and aren’t typically scanned by conventional antivirus (AV) solutions.
Most notably, the SOC uncovered an ISO file containing malware, which used a free tool called AutoIT3. The tool carried out many actions, including the installation of a known remote access tool (RAT) called Arechclient2.
Since then, the Adversary Pursuit Group has researched the RAT’s execution steps from access to command and control. Because the tool and techniques were heavily obfuscated, our APG has released this report with an entire breakdown, including indicators of compromise, in hopes of educating our partners and colleagues.
Adversaries are becoming more advanced in their methods of bypassing AV. Therefore, having the ability to detect and respond to advanced hacker tradecraft is crucial. We advise all businesses to ensure they have a security solution with visibility into file formats and behaviors that are outside the scope of AV.