Threat hunters have disclosed details of a new, stealthy malware campaign dubbed DEAD#VAX that employs a mix of “disciplined tradecraft and clever abuse of legitimate system features” to bypass traditional detection mechanisms and deploy a remote access trojan (RAT) known as AsyncRAT.
“The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report.
At the core of the operation, AsyncRAT enables attackers to gain deep and persistent control over infected systems. The open-source malware allows surveillance and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots.
To initiate the infection sequence, the attackers rely on a phishing email that delivers a Virtual Hard Disk (VHD) hosted on the decentralized InterPlanetary Filesystem (IPFS) network. Notably, the threat actors disguise the VHD files as PDF purchase orders to deceive targeted victims and increase the likelihood of execution.
Multi-Stage Execution and In-Memory Payload Delivery
Following initial access, the multi-stage campaign leverages Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deliver an encrypted x64 shellcode payload. The attackers use this shellcode to deploy AsyncRAT, inject it directly into trusted Windows processes, and execute it entirely in memory, which significantly reduces forensic artifacts on disk.
“After downloading, when a user simply tries to open this PDF-looking file and double-clicks it, it mounts as a virtual hard drive,” the researchers explained. “Using a VHD file is a highly specific and effective evasion technique used in modern malware campaigns. This behavior shows how VHD files bypass certain security controls.”
Once the system mounts the VHD, the newly mounted drive (E:) presents a WSF script that appears to the victim as a PDF document. When executed, the script drops and runs an obscured batch script that immediately performs a series of checks. These checks determine whether the malware runs outside a virtualized or sandboxed environment and confirm that it has the required privileges to proceed.
PowerShell Injection and Persistence Mechanisms
After the script satisfies all execution conditions, it launches a PowerShell-based process Injector and Persistence module. This module Validates the execution environment, Decrypts Embedded Payloads, establishes Persistence through scheduled tasks, and injects the final malware into Microsoft-signed Windows processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and Sihost.exe. Crucially, the Attackers avoid writing Artifacts to disk throughout this process.
Together, these components form a “stealthy, Resilient execution engine” that allows the trojan to operate entirely in memory and blend into legitimate system activity. As a result, Attackers maintain long-term access to Compromised environments while Minimizing Detection opportunities.
To further enhance stealth, the malware actively controls execution timing and Throttles activity using sleep intervals. This approach reduces CPU usage, limits suspicious bursts of Win32 API calls, and makes runtime behavior appear less Anomalous.
“Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls,” the researchers said. “Rather than delivering a single malicious binary, attackers now construct multi-stage execution pipelines in which each individual component appears benign when analyzed in isolation. This shift has made detection, analysis, and incident response significantly more challenging for defenders.”
“In this specific infection chain, the decision to deliver AsyncRAT as encrypted, memory-resident shellcode significantly increases its stealth. The payload never appears on disk in a recognizable executable form and runs within the context of trusted Windows processes. This fileless execution model makes detection and forensic reconstruction substantially more difficult, allowing AsyncRAT to operate with a reduced risk of discovery by traditional endpoint security controls.”
Source: TheHackerNews
Read more at Impreza News
