Hackers have been targeting major US infrastructure management companies with remote access trojans for almost a year now, new research has claimed.
Cybersecurity researchers from AT&T’s Alien Labs discovered a "spike in phishing emails, targeting specific individuals in certain companies".
After a closer inspection, the researchers determined that the attackers were looking to deploy AsyncRat, an open-source remote access tool for Windows that has been in circulation since 2019.
“The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the U.S,” the researchers said.
When installed on the target endpoint, AsyncRAT allows the attackers a wide variety of features, including remote command execution, keylogging, data exfiltration, and malware deployment.
Furthermore, the attackers used a domain generation algorithm (DGA) to generate a new C2 domain every Sunday. The domains follow a specific structure, the researchers explained. They are in the “top” TLD, use eight random characters, and are registered in Nicenic.net. They use South Africa for the country code, and are all hosted on DigitalOcean.
The researchers could not determine the identity of the attackers though, as they “value discretion,” it was said. Apparently, the hackers made quite the effort to obfuscate the malware samples.
While infrastructure firms are always a valuable target regardless of the attackers’ motives, the researchers believe these threat actors wanted to use them to broaden the impact of their campaign.
More from TechRadar Pro
- Another top US mortgage firm reveals a major data breach, over a million customers affected
- Here's a list of the best firewalls today
- These are the best endpoint protection services right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.