Cybersecurity researchers uncovered a clever malware campaign. They call it DEAD#VAX. Attackers use IPFS-hosted VHD files to sneak AsyncRAT onto systems.
How the Phishing Starts
Attackers send phishing emails with fake purchase orders. They disguise the attachment as a PDF file. However, the link points to a VHD hosted on IPFS. This decentralized network helps hide the file.
When users double-click the file, it mounts as a virtual drive. For example, it appears as drive E:. Therefore, victims think they opened a document. This trick bypasses many security checks.
Inside the Virtual Drive
The mounted drive shows a WSF script file. Victims run it expecting a PDF. Next, the script drops a heavily obfuscated batch file. This batch checks the environment carefully. It looks for sandboxes or virtual machines. Additionally, it confirms admin rights. If checks pass, the script moves forward. Otherwise, it stops quietly.
The batch launches a PowerShell injector. This component decrypts hidden payloads at runtime. It never saves clear files to disk. For instance, it injects AsyncRAT shellcode into trusted Windows processes.
Examples include RuntimeBroker.exe and OneDrive.exe. Consequently, the malware blends with normal activity. It uses sleep delays to stay low-key. This reduces CPU spikes and API noise.
AsyncRAT Capabilities
AsyncRAT gives attackers full control. It logs keystrokes and captures screens. Moreover, it grabs webcam images and clipboard data. It accesses files and runs commands remotely.
The trojan sets up persistence too. It creates scheduled tasks for reboots. Therefore, access lasts long-term. Attackers monitor victims without raising alarms. Attackers abuse legitimate features smartly. VHD files evade traditional scanners. IPFS hosting avoids direct malicious links. In-memory execution leaves few traces.
Each stage looks harmless alone. For example, scripts and processes mimic normal behavior. This multi-stage design challenges defenses. Detection becomes much harder.
Fileless Execution Advantage
The malware runs entirely in memory. It injects into signed Microsoft processes. No decrypted binary touches the disk. Therefore, endpoint tools struggle to spot it.
Throttled execution hides activity further. Sleep intervals make behavior look natural. Consequently, AsyncRAT persists undetected for extended periods.
Prevention Strategies
Organizations can stop these attacks with layered defenses. First, block VHD and WSF files in email gateways. Train users to avoid unknown attachments. Moreover, deploy continuous monitoring that watches for unusual process injections and memory anomalies.
Enable strict script execution policies. Use behavioral analysis to flag sandbox evasion checks. These steps reduce the success of fileless RATs like AsyncRAT significantly.
Sleep well, we got you covered.
