Showing posts from July, 2021

Attack campaign analysis and interdiction: Async RAT

  Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye: The file "astro-grep-setup.exe.doc" (available on Any.Run here ) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called "AstroGrep" (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT.  This technique is known as using a "binder" putting two apps