<div id=”articlebody”>

Hackers have been targeting major US infrastructure management companies with remote access trojans for almost a year now, new research has claimed.

Cybersecurity researchers from AT&T’s Alien Labs discovered a “spike in phishing emails, targeting specific individuals in certain companies”. 

After a closer inspection, the researchers determined that the attackers were looking to deploy AsyncRat, an opensource remote access tool for Windows that has been in circulation since 2019. 

Unidentified attackers

“The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the U.S,” the researchers said.

When installed on the target endpoint, AsyncRAT allows the attackers a wide variety of features, including remote command execution, keylogging, data exfiltration, and malware deployment. 

Over the course of the last 11 months, hackers have used more than 100 domains to distribute the phishing email that carries a GIF attachment. This attachment leads to an SVG file that downloads obfuscated JavaScript and PowerShell scripts. There were more than 300 unique samples of the loader identified in the same timeframe. Each version has minor changes in code structure, obfuscation, variable names, and values. 

Furthermore, the attackers used a domain generation algorithm (DGA) to generate a new C2 domain every Sunday. The domains follow a specific structure, the researchers explained. They are in the “top” TLD, use eight random characters, and are registered in Nicenic.net. They use South Africa for the country code, and are all hosted on DigitalOcean. 

While infrastructure firms are always a valuable target regardless of the attackers’ motives, the researchers believe these threat actors wanted to use them to broaden the impact of their campaign.

Via BleepingComputer

More from Pro

Share.
Exit mobile version