For the past 11 months a threat group has been targeting employees in various companies with phishing emails that distribute an open-source trojan program called AsyncRAT. The targets included companies managing key infrastructure in the US.
According to AT&T’s Alien Labs cybersecurity division, the attackers’ command-and-control (C&C) infrastructure uses a domain generation algorithm (DGA) to rotate through a high number of domains to make traffic blocking harder. They always generate new samples of the malicious tool to evade detection. The researchers have identified more than 300 samples and 100 domains associated with this campaign.