DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
These articles are AI-generated summaries. Please check the original sources for full details.
DEAD#VAX Malware Campaign
The DEAD#VAX malware campaign has been identified as a new, sophisticated threat that employs a combination of legitimate system features and clever tradecraft to bypass traditional detection mechanisms and deploy the AsyncRAT remote access trojan. This campaign leverages IPFS-hosted VHD files, extreme script obfuscation, and in-memory shellcode injection to evade detection, with the AsyncRAT malware providing attackers with extensive control over compromised endpoints.
Why This Matters
The technical reality of modern malware campaigns like DEAD#VAX highlights the limitations of ideal models that rely solely on traditional detection mechanisms. The use of fileless execution, memory-resident shellcode, and trusted file formats makes it challenging for defenders to detect and analyze these threats, with the potential cost of a successful attack being significant in terms of data loss and system compromise. According to Securonix researchers, the campaign’s ability to operate with a reduced risk of discovery by traditional endpoint security controls makes it a substantial threat.
Key Insights
- AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, enabling surveillance and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots.
- The use of IPFS-hosted VHD files as a delivery mechanism allows attackers to bypass certain security controls and evade detection.
- The PowerShell component of the malware lays the foundation for a “stealthy, resilient execution engine” that allows the trojan to run entirely in memory and blend into legitimate system activity.
Working Example
# Example of a PowerShell-based process injector and persistence module
$process = Get-Process -Name "RuntimeBroker.exe"
$injector = New-Object System.Management.Automation.PowerShell
$injector.AddScript({
# Decrypt embedded payloads and set up persistence using scheduled tasks
$payload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("encrypted_payload"))
# Inject the final malware into Microsoft-signed Windows processes
[System.Runtime.InteropServices.Marshal]::Copy($payload, 0, $ptr, $payload.Length)
})
$injector.Invoke()Practical Applications
- Use Case: The DEAD#VAX campaign demonstrates the use of legitimate file formats and script abuse to deliver malware, highlighting the need for defenders to monitor and analyze system activity for suspicious behavior.
- Pitfall: The use of fileless execution and memory-resident shellcode makes it challenging for defenders to detect and analyze these threats, emphasizing the importance of implementing robust detection and response mechanisms.
References:
Continue reading
Next article
Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions
Related Content
Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading
A new LinkedIn phishing campaign delivers a remote access trojan (RAT) via DLL sideloading, exploiting trusted software and bypassing traditional security measures.
New HttpTroy Backdoor Exploits South Korean Targets via Phishing Campaign
North Korea-linked group Kimsuky deploys HttpTroy backdoor via phishing emails posing as VPN invoices, enabling full system control and stealthy persistence in South Korea.
SHADOW#REACTOR Malware Campaign Deploys Remcos RAT via Multi-Stage Attack
SHADOW#REACTOR is a new malware campaign leveraging VBS, PowerShell, and MSBuild to deliver Remcos RAT, achieving stealthy and persistent remote access.