Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Targeted attack on Thailand Pass customers delivers AsyncRAT

GAYATHRI ANBALAGAN, PARTHEEBAN J
April 27, 2022 - 9 min read

The Zscaler ThreatLabz research team has recently discovered a malware campaign targeting users applying for Thailand travel passes. The end payload of many of these attacks is AsyncRAT, a Remote Access Trojan that can be used to monitor, control, and steal sensitive data from victims' machines.

Thailand Pass is an online travel agency that brokers airline tickets to travelers who want to visit Thailand or other foreign countries. Attackers trick victims using a spoof web page that poses as Thailand Pass, ultimately baiting users into downloading AsyncRAT. 

The Thailand Pass organization has issued an advisory for these malicious campaigns on their official website "tp.consular[.]go[.]th" as shown below.

Fig 1

Figure 1: Advisory by Thailand pass organization.

In this blog, our team will provide a deep analysis of the malware campaign that we have observed related to these attacks.

The below image shows the complete flow of execution for this malware campaign. 

Fig 2

Figure 2: Complete attack chain workflow.

The following malicious URLs were used for this campaign, as found through our Threat Intelligence collection framework.

hxxps://bit[.]ly/Thailand-passport - is an shortened URL of

hxxps://onedrive.live[.]com/Download?cid=6BCBE135551869F2&resid=6BCBE135551869F2!168&authkey=AGoYtbf1Lb5VjFg

On accessing the above URL, the page delivers a HTML file named “Thailand Pass Registration System (for air travel.html”. Once the user opens the HTML file, it automatically drops an ISO file named “thailand_Passport.iso” without any user interaction, as shown below.

Fig 3

Figure 3 : Thailand pass phishing page drops ISO file.

This ISO file contains a VBScript called “qr_thailand_pass.vbs” file which begins the malware activity. The content of the vbs file will be in obfuscated form as shown below.

Fig 4

Figure 4: Obfuscated content of the qr_thailand_pass.vbs file.

After de-obfuscating the VBScript, we can see that the script tries to download a Testavast+denf.txt file from the web hosting site(ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com) and executes the code using the “IEX” operation with the help of “powershell”.

Fig 5

Figure 5: Deobfuscated content of the qr_thailand_pass.vbs file.

The following image shows the content of the Testavast+denf.txt file which contains a code to check if antivirus services ESET, Avast, AVG, or Malwarebytes are running. If any of those services is found, the script modifies the execution flow of the malware to get around the antivirus, and downloads the appropriate files in order to do so. It saves the files related to the antivirus service as untitled.ps1 and executes that powershell script. 

Fig 6

Figure 6: Checks for AV running service and downloads its related text file accordingly.

While execution flows are modified if AV services are found to be present, the final payload (AsyncRAT malware) remains the same. 

IF AV exists on the host machine

Example - Victim Machine runs MalwareBytes AV as a service

Here, we have taken a case study of a host with malwarebytes antivirus installed, and will analyze the delivery of an AsyncRAT payload in detail. The following image shows the content of the killd.txt file which downloads the supporting files from web hosting site(ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com) 

Fig 7

Figure 7: Content of the powershell script present in the Killd.txt file.

The image depicts the content of the supporting files like admin.vbs, admin.ps1, 1_powerrun.vbs, 1.bat and 1.ps1 whose main task is to stop the particular AV service to evade detection and to execute the malware attack.

admin.vbs - Starts the admin.ps1 powershell script

admin.ps1 - Starts the 1_powerrun.vbs script in admin mode

1_powerrun.vbs - runs the 1.bat batch file.

1.bat - runs the 1.ps1 powershell script.

Fig 8

Figure 8: Content of the admin.vbs,admin.ps1,1_powerrun.vbs and 1.bat.

The final goal of the “1.ps1” powershell script is to stop the MalwareBytes service and add exclusion for the supporting files during the real time scanning as depicted below.

Fig 9

Figure 9: Stops the Malwarebytes Antivirus service in Force method.

After disabling the running antivirus service, it downloads the AsyncRAT malware from the killd.txt file and starts its malicious activity on the victim's machine.

Fig 10

Figure 10: Content of the AsyncRAT payload present in the killd.txt file.

If no antivirus services are detected on the victim machine then the code will move to the “else” as shown below.

IF AV does not Exist on the host machine

Here the script downloads “task.txt”, “SecurityHealth.exe” and “SecurityHealth.exe.manifest” files from the following domain “hxxp://microsoft[.]soundcast[.]me”. Then, it executes the “task.txt” file as “untitled.ps1”. It also copies the following “SecurityHealth[.].exe” and “SecurityHealth[.]exe[.]manifest” files in the startup folder for persistence techniques.

Fig 11

Figure 11: If AV not exist, download files from “hxxp://microsoft[.]soundcast[.]me/”.

The following image shows the content of the Task.txt file which creates a scheduled task as GoogleUpdate to execute the dropped SecurityHealth[.]exe file. This naming fools the user and enables the malware to implement its persistence method.

Fig 12

Figure 12: Task.txt file uses persistence technique.

The securityHealth[.]exe file needs the SecurityHealth[.]exe[.]manifest supporting file to execute its malicious activities.

The following image shows the decoded content present in the SecurityHealth[.]exe[.]manifest containing the URL(34[.]71[.]81[.]158/Run/aaa.ps1) to download the malicious powershell script(aaa.ps1).

Fig 13

Figure 13: Decoded content present in the SecurityHealth.exe.manifest, downloads aaa.ps1.

The downloaded powershell script aaa.ps1 contains the same AyncRAT payload which is present in the killd.txt file(Malwarebytes AV related file).

Fig 14

Figure 14: content present in aaa.ps1 file

Final payload AsyncRAT malware - Execution Flow

The variable $Filc contains the actual AsyncRAT malware payload, which is injected into a legitimate aspnet_compiler.exe file to show it as a genuine file running in background. The following image shows how the process injection is done in detail.

Fig 15

Figure 15: AsyncRAT payload process injection in legitimate file(aspnet_compiler.exe).

While decoding the variable $Filc, it results in an AsyncRAT malware file that was hidden inside of it. After deobfuscation, converted that into a decimal format and then into ASCII to see the actual executable file (malware payload) as depicted below.

Fig 16

Figure 16: Deobfuscated AsyncRAT malware executable.

The injected malware payload runs as a legitimate aspnet_compiler.exe process as shown below.

Fig 17

Figure 17: Aspnet_compiler is running as a legit file with injected AsyncRAT payload into it.

Process Injection - Work Flow

We have dissected the deobfuscated AsyncRAT to see how the process injection is accomplished. The following image shows the APIs used for process injection in the Execute method.

Fig 18

Figure 18: Content Present in GetMethod- Execute Function - Process injection APIs.

The following APIs are also used to inject the malware AsyncRAT into the legitimate file aspnet_compiler.exe file.

Fig 19

Figure 19: Content Present in GetType - Order.Yes -  Process injection APIs.

The payload will also check for the Anti-VM and Anti-debugging techniques to evade detection as follows:

Here it checks whether the downloaded malware payload is running in the host or virtual machine, and also uses anti-debugging techniques to hide its actual behavior.

Fig 20

Figure 20: Decompiled AsyncRAT file : Anti VM - Anti Debugging techniques.

Finally, it steals the networking credentials of the victim and sends the stolen information to the following C&C server (invoice-update[.]myiphost[.]com) as shown below.

Fig 21

Figure 21: Decompiled AsyncRAT file - C&C server location.

Similar campaign - Delivery using Discord CDN: 

cdn[.]discordapp[.]com/attachments/921529408060289114/947221997325258772/qr_thailand_pass.zip

We have seen several other Thailand Pass organization spam templates that directly deliver the VBScript file that leads to the delivery of the same AsyncRAT malware, as shown below.

Fig 22

Figure 22: Thailand pass downloads VBScript file directly.

Conclusion:

AsyncRAT – like other Remote Access Trojans – is a powerful malware that plays a significant role in cybercriminal activities. ThreatLabz actively tracks these types of malware attacks to protect our customers from data theft and from other sensitive information being abused by the cybercriminals.

IOCs:

URLs:

bit[.]ly/Thailand-passport

onedrive[.]live[.]com/Download?cid=6BCBE135551869F2&resid=6BCBE135551869F2!168&authkey=AGoYtbf1Lb5VjFg

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Testavast+denf[.]txt

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Nod[.]txt

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Avast[.]txt

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/New/Killd[.]txt

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1[.]bat

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1[.]ps1

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/1_powerrun[.]vbs

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/PowerRun[.]exe

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/admin[.]ps1

ec2-34-229-64-131[.]compute-1[.]amazonaws[.]com/SV/Malawer/admin[.]vbs

microsoft[.]soundcast[.]me/Run/task[.]txt

microsoft[.]soundcast[.]me/Run/SecurityHealth[.]exe

microsoft[.]soundcast[.]me/Run/SecurityHealth[.]exe[.]manifest

34[.]71.81[.]158

cdn[.]discordapp[.]com/attachments/921529408060289114/947221997325258772/qr_thailand_pass.zip

Hashes:

9f0a23cf792d72d89010df5e219b4b12 - Thailand pass[.]html

e2da247426a520209f7d993332818b40  -  Thailand pass[.]ISO

8f30215a81f2a2950fd5551d4f2212ce - QR_thailand_pass[.]vbs

e8e4ea0f80c9ff49df07e9c1b119ba2a - Security health[.]exe

25ed250f143d623d0d41bd9123bcc509 - SecurityHealth[.]exe[.]manifest

4e6d695ed0559da97c9f081acf0892e4 - AsyncRAT Payload

2922a998d5b202ff9df4c40bce0a6119 - Process injector

b64ac660f13b24f99999e7376424df2d - Killd.txt

984f6bd06024f8e7df2f9ec9e05ae3d2 - Avast.txt

a5dfd5b75db6529b6bd359e02229ad1d - Nod.txt

9c0bdb129084a6c8fce1a1e9d153374b - Admin.ps1

7ec50ec3091ff38eb7c43e2a8a253bc9 - 1.ps1

ae29fc1878f3471bb196ba353b3daf9d - 1_powerrun.vbs

44314f46a2beb1cc20a0798533f0913E - 1.bat

878b1aae24a87bc0dbce537336878b5E - Admin.vbs

C&C:

invoice-update[.]myiphost[.]com

Detection & Coverage:

Advanced Sandbox Report:

Fig 23

Figure 23:Zscaler Sandbox detection

Advanced Threat Protection:

Win32.Downloader.AsyncRAT

HTML.Phish.ThailandPass

VBS.Dropper.AsyncRAT

Win32.Backdoor.AsyncRAT

PS.Downloader.AsyncRAT

Win32.Trojan.NETAssemblyInject

About us

Zscaler ThreatLabz is a global threat research team with a mission to protect customers from advanced cyberthreats. Made up of more than 100 security experts with decades of experience in tracking threat actors, malware reverse engineering, behavior analytics, and data science, the team operates 24/7 to identify and prevent emerging threats using insights from 300 trillion daily signals from the Zscaler Zero Trust Exchange.

Since its inception, ThreatLabz has been tracking the evolution of emerging threat vectors, campaigns, and groups, contributing critical findings and insights on zero-day vulnerabilities, —including active IOCs and TTPs for threat actors, malware, and ransomware families, phishing campaigns, and more.

ThreatLabz supports industry information sharing and plays an integral role in the development of world-class security solutions at Zscaler. See the latest ThreatLabz threat research on the Zscaler blog.

 

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.