eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file.
This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe process using a DLL to further evade detection.
Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system.