Hackers are making use of some basic tactics and tools to bypass antivirus software and infect systems with malware.
According to a new report from HP Wolf Security, a team analyzed a cyberattack which used AsyncRAT, a trojan used to steal valuable information, and found some frightenedly simple ways in which it managed to fool victims and protection software into thinking it was safe.
This included renaming file extensions, increasing file size so it couldn’t be scanned, and using multi programming languages as part of the overall attack.
Evading detection
The trojan is housed in a batch file, which are generally met with suspicion by cybersecurity systems. But by changing its associated file extension name from .bat to .pdf, and disguising the payload as an invoice or similar, the attackers were able to fool their victims into downloading it.
Windows file explorer hides the real extensions by default, so instead of the file name showing up as “.pdf.bat”, which would be more likely to arouse suspicions, it instead merely showed up as “.pdf”, and so appearing legitimate. HP Wolf Security notes that this simple trick is being used more and more by threat actors.
Cybercriminals are also inflating the size of their payload by simply adding in more useless binary code, sometimes to as large as 2GB, which exceeds the scanning threshold for many malware removal tools, meaning they can pass through undetected.
However, the clever part is that the meaningless binary code often repeats in sections, which means that it can be compressed into an archive file down to only a few megabytes if necessary, which makes it ideal for widespread spam campaigns.
Another trick used by the AsyncRAT attackers is that they used multiple programming languages throughout in order to evade detection. The payload itself was encrypted using Go, and malware detection tools on the target system were disabled so it could slip passed unnoticed.
To interact with the target’s system, the attack then made use of C++ to run the .NET malware in memory, which creates less of a footprint than if it were saved to the hard drive, again decreasing the chances of detection.
To run .NET files in memory using C++ requires advanced knowledge of how Windows works – knowledge that isn’t made publicly available. However, tools that can achieve this are sold on hacking forums for others to make use of without needing expertise.
Patrick Schläpfer, Malware Analyst at the HP Wolf Security threat research team, says that, “IT-savvy threat actors can use simple tools that are easily bought on the dark web to carry out complex and sophisticated attacks.”
“It’s likely this particular attack was carried out by an individual or small group, as the attack uses the same server with one IP address to distribute the spam email and set up a command and control.”