AsyncRAT Distributed via WSF Script
By ATCP
Published: 2023-11-30 · Archived: 2026-04-05 23:05:47 UTC
The AhnLab Security Emergency response Center (ASEC) analysis team previously posted about AsyncRAT
being distributed via files with the .chm extension. [1] It was recently discovered that this type of AsyncRAT
malware is now being distributed in WSF script format. The WSF file was found to be distributed in a compressed
file (.zip) format through URLs contained within emails.
[Download URLs]
1. https://*****************.com.br/Pay5baea1WP7.zip
2. https://************.za.com/Order_ed333c91f0fd.zip
3. https://*************.com/PAY37846wp.zip
4. https://*****.****.co/eBills37890913.zip
Decompressing the first downloaded zip file yields a file with a .wsf file extension. This file mostly consists of
comments as shown in the image below and only contains one <script> tag in the middle.
https://asec.ahnlab.com/en/59573/
Page 1 of 8

When this script is executed, a Visual Basic script is downloaded and run as shown below. This script downloads a
.jpg file (a zip file disguised as a jpg file) from the same C2 address.
Afterwards, it changes the file extension of this jpg file to .zip before decompressing it. The command string that
executes the file Error.vbs also contained in the compressed file is created into an xml file
(C:\Users\Public\temp.xml) and run with PowerShell.
The downloaded zip file contains many other scripts aside from the Error.vbs file.
https://asec.ahnlab.com/en/59573/
Page 2 of 8

Afterwards, the remaining files (bat, ps1) are all executed in order. The role and execution flow of each file are
given below.
Error.vbs: Checking for administrator permission and executing Error.bat
Error.bat: Bypassing UAC and executing Error.ps1
Error.ps1: Creating the shortcut file C:\Users\Public\Chrome.lnk, registering it to autorun (registry), then
executing it
pwng.bat: Bypassing UAC and executing pwng.ps1
pwng.ps1: Fileless attack
The file pwng.ps1 which is executed last converts the contained strings into a .NET binary before loading and
executing the binary. It runs by executing a legitimate process (aspnet_compiler.exe) and injecting a malicious
binary into this process. During these steps, three obfuscated variables are used.
https://asec.ahnlab.com/en/59573/
Page 3 of 8

[Meaning of Key Variables]
$jsewy: Malware that performs the features of AsyncRAT (the file to be injected into aspnet_compiler.exe)
$jsewty: Malware that performs the injection feature
$KRDESEY: The process the malware is injected into
(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe)
The malware executed in the end is identified as AsyncRAT which has information exfiltration and backdoor
features. The key behaviors are as follows.
1. Maintaining Persistence
– Using schtasks to add a scheduled task
– Adding a registry
– Creating a bat file that executes and terminates itself
https://asec.ahnlab.com/en/59573/
Page 4 of 8

2. Exfiltrating Information
– Computer information: OS version, users, anti-malware product list, etc.
– UserData information in browsers: Chrome, Brave-Browser, Edge
– Cryptocurrency wallet information: RabbyWallet, Atomic, Exodus, Ledger_Live, Electrum, Coinomi, Binance,
Bitcoin
https://asec.ahnlab.com/en/59573/
Page 5 of 8

Additionally, the C2 server where this information is sent is contained within the file as an encrypted string and is
displayed as follows upon execution. The threat actor combines this C2 domain and multiple port numbers to
make multiple connection attempts.
https://asec.ahnlab.com/en/59573/
Page 6 of 8

As such, the threat actor distributes the same malware in various ways, using elaborate fileless methods without
EXE files. Users must always be cautious when opening files or external links contained within emails and use
monitoring features in security products to identify and restrict access from threat actors.
[File Detection]
Downloader/Script.Agent (2023.11.29.02)
Trojan/VBS.RUNNER.SC194987 (2023.11.30.04)
Trojan/BAT.RUNNER.SC194988 (2023.11.30.04)
Trojan/BAT.RUNNER.SC194985 (2023.11.30.04)
Trojan/PowerShell.Runner.SC194986 (2023.11.30.04)
Trojan/PowerShell.Generic.SC194981 (2023.11.30.04)
Trojan/PowerShell.Generic.SC194982 (2023.11.30.04)
Trojan/Win.Injector (2023.11.30.04)
Backdoor/Win.AsyncRAT (2022.07.12.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click
the banner below.
https://asec.ahnlab.com/en/59573/
Page 7 of 8

Source: https://asec.ahnlab.com/en/59573/
https://asec.ahnlab.com/en/59573/
Page 8 of 8