US critical infrastructure, others subjected to prolonged AsyncRAT malware attacks

Several organizations, including those managing U.S. critical infrastructure, have been targeted by an AsyncRAT malware campaign during the past 11 months, BleepingComputer reports. Three hundred unique loader samples and more than 100 domains have been leveraged as part of the campaign, which commenced with the delivery of malicious emails with a GIF attachment that would result in obfuscated JavaScript and PowerShell script downloads, according to a report from AT&T Alien Labs. Attackers have also used a loader that would identify eligibility for AsyncRAT compromise, with the loader launching decoy payloads in analysis environments. Further examination of the campaign revealed attackers' utilization of a domain generation algorithm enabling weekly generation of new C2 domains. Domains used by the threat actors were also noted to adhere to a structure that consists of eight random alphanumeric characters, have South Africa as the country code, and are in the "top" TLD. Digital Ocean has also been used for hosting all the domains, noted researchers, who have not linked the campaign to a particular threat operation.