Rise of AsyncRAT: Navigating Tax-Themed Cyber Threats and WinRAR Vulnerabilities 

In the last few days, we have seen a rise of cyber attacks conducted by AsyncRAT focusing on ‘TAX attacks context.’ AsyncRAT is a Remote Access Trojan that attackers use to gain unauthorized access to a victim’s computer.  

This type of malware is particularly dangerous because it allows attackers to remotely control the infected machine, steal sensitive information, and deploy further malicious payloads. In the last few days, we have spotted a rise in cyber attacks involving tax-themed phishing scams, a common tactic used by cybercriminals, especially around tax season or when financial and personal information is frequently exchanged online. 

The AsyncRAT vulnerability used, AKA CVE-2023-38831, involves WinRAR, a widely used file archiver and compressor. For those who might not know, WinRAR is a widely used tool for compressing and decompressing files.  

Why does this matter? Well, if a hacker can exploit a flaw in something as commonplace as WinRAR, they can potentially execute harmful code on your computer by merely convincing you to open a tainted archive file. Imagine receiving an email that appears to be from a legitimate source, urging you to open an attached document labeled as an important tax document. The moment you open this file, you could unknowingly trigger the malware. 

Decoding Recent Cyber Intrusions: Identifying and Understanding Indicators of Compromise 

One of the latest attacks, occurring just three days ago, cleverly exploited this WinRAR vulnerability. Successful infection grants the attacker remote control over the affected host: 

After a successful infection, the attacker will have a remote control on the infected host. 

Here are some indicators of compromise (IoCs) related to this attack to watch out for: 

1. A suspicious link that looks like it could lead to a PDF document but is hosted on a questionable website: hxxp://paradisoprovisor1.hospedagemdesites./ws/cpa.pdf 

1. A file pretending to be a tax document with a hash value that, if you know how to check it, screams “malicious.”: a7459070acc9f901b2d07e1124a491144ae8ea9a5345a5d8ea7e6a273425ef7c - Tax1099K Document.001 

Moreover, these attacks have been using deceptive file names, like StatementNumber#rljvbbwvhg(2).wsf, leveraging another vulnerability, CVE-2017-11774. The cunning doesn’t stop there; another attack vector involves a file named something akin to “Form-1099-Tax-University-Accounting-Service-LLC-OMB-No.-1545-xxxx1576.zip.” After unsuspecting users download and open the BAT file contained within, their computer reaches out to Google Drive to download a malicious file masquerading as a tax document. 

VirusTotal – Search – malware_config:asyncrat 

The method of operation here is shockingly simple yet effective. Attackers send emails containing links to file-sharing platforms like Google Drive or MediaFire, baiting users into downloading what they believe are legitimate tax documents. Once the file is opened, a PowerShell script usually runs, downloading the actual malware from various online locations. 

IoCs: 

1. F09390F74BC8E515192D135B2B0442BFDB23441D5781598ED04C4779D5D6C061 

1. https://any.run/report/f09390f74bc8e515192d135b2b0442bfdb23441d5781598ed04c4779d5d6c061/e7828c2c-a551-47f3-9787-0958a3181d77 

In these attacks, filenames are specifically crafted to entice victims, with titles such as: 

• Joseph Turchetti! TaxDoc2022 Ducument.zip 

• Davis_Joseph_tax_docs.pdf 54 .JS 

• Tax1099K Document.001 

• copy_of_the_2020_federal_and_state_tax_returns.js 

• Tax Jhon Smith Overdue 2022 tax document.wsf 

• Tax document with errors 2022.vbs 

Over the last few months, more examples similar to AsyncRAT have surfaced. These attacks have a common thread: the simple usage of ‘filesharing platforms’ like Google & MediaFire, to download the malicious payload (as a link that was attached to an email): the attacker will send an email with a link to a fileshare (like MediaFire filesharing in the following examples). After the user clicks on the link and downloads the file, he will start the chain of infection. When opening the different files, in most cases, it will run a PowerShell that will download the malicious payload from various locations like: 

hxxp://paradisoprovisor1.hospedagemdesites.ws/cpa/.pdf’)) 

Example of one of the files that is being used in this attack: 

The main command and control that is used for the entire infrastructure is:  hxxps://detail-booking.com.br/cpa/.html 

We also noticed another infrastructure that issues the same attack TAX context: 

VirusTotal – IP address – 162.241.63.34 

1. 2020 Tax Return Documents (MR BIOMED TECH SERVICE).one 

1. Joseph Turchetti! TaxDoc2022 Ducument.zip 

1. copy_of_the_2020_federal_and_state_tax_returns.pdf 

1. cpafinalps1.jpg 

1. Paid $ 3,650.00 CPA, Partner PT CPAs has been paid $ 3,650.00.vbs 

1. Tax Jhon Smith Overdue 2022 tax document.wsf 

1. T ax Documents Sadinos Group CA v.s National Group.vbs 

When opening the file, you will be directed to https://skynetx./com.br/cpa./pdf for the initial infection.  

The latest sample from this RAT was seen 3 days ago: VirusTotal – File – 08267f6a4cc932b6700859ca5140cfbe980d5234331ebb60dae63feabc5558e9. It is still using the same attack techniques & Command & Controls. 

More examples for IoCs: 

• VirusTotal – File – 078907dd281d7c4e1c1530dfa3e658ca61efcb026a6a4ee13fec5784d1c90588 

• VirusTotal – File – 1176343cabd067bb24463a0c5b7bea6906a92f082ec54392fc3c1edebda09a1e 

• Davis_Joseph_tax_docs.pdf 54 .JS 

• VirusTotal – File – 1d3f775e3a7085f58da435acc99b050ace51b5f538d32006d050cd803dddb91d 

• VirusTotal – Search – tax 1099 AND p:5+ 

• VirusTotal – File – bdf2b6e5d04391c57623d906cea2d76e6295eabe144e55050e76f2a454f86e90 

RAT infections over time with communication to the C&C: 

Here are some lifesaving tips to help you avoid falling victim to these phishing scams like AsyncRAT: 

• Be Skeptical: If an email or message seems suspicious, even if it appears to be from a known contact, approach it with caution. Verify the sender’s identity through other means. 
• Update Regularly: Keep your software updated, including your operating system, antivirus, and applications like WinRAR. These updates often include patches for security vulnerabilities. 
• Use Antivirus Software: Ensure you have reliable antivirus software installed and that it’s up to date. These programs can detect and neutralize malware before it causes harm. 
• Back Up Your Data: Regularly back up your important files. If you fall victim to malware, this can prevent data loss. 
• Educate Yourself: Familiarize yourself with common phishing tactics and malware. The more you know, the harder it is for scammers to deceive you. 

A Call to Arms for Organizations 

In the face of these sophisticated phishing scams, it’s not just individuals who must be on high alert; organizations, too, have a critical role to play. Cyber security is a collective effort, requiring vigilance and proactive measures from companies of all sizes. Businesses must implement robust security protocols, educate their employees about the dangers of phishing scams, and foster a culture of cyber security awareness. 

Organizations should consider employing advanced threat detection and response systems that can identify and neutralize threats before they infiltrate the network. Regular security audits and updates to IT infrastructure can also help close vulnerabilities that could be exploited by malware like AsyncRAT. Equally important is the creation of clear policies for reporting suspicious activities, ensuring that potential threats are identified and addressed swiftly. 

Let’s make cyber security a priority, not just during tax season, but all year round, safeguarding our organizations against those who seek to exploit them.