DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

Briefly

"The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk," Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. AsyncRAT is an open-source malware that provides attackers with extensive control over compromised endpoints, enabling surveillance and data collection through keylogging, screen and webcam capture, clipboard monitoring, file system access, remote command execution, and persistence across reboots."

"The starting point of the infection sequence is a phishing email delivering a Virtual Hard Disk (VHD) hosted on the decentralized InterPlanetary Filesystem ( IPFS) network. The VHD files are disguised as PDF files for purchase orders to deceive targets. The multi-stage campaign has been funded to leverage Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders to deliver an encrypted x64 shellcode. The shellcode in question is AsyncRAT, which is injected directly into trusted Windows processes and executed entirely in memory, effectively minimizing any forensic artifacts on disk."