Executive Summary
The Fortra Intelligence & Research Experts (FIRE) team is currently monitoring a new trend involving the use of fake Social Security Administration (SSA) emails to deliver AsyncRAT malware — marking a shift from previously observed campaigns that relied on remote support tools like ScreenConnect. While not yet widespread, this tactic shows threat actors experimenting with more capable payloads and complex, multi-stage infection chains. The attack uses obfuscation, scripting, and staged delivery to evade detection and maintain persistence. As these methods evolve, defenders must stay alert to how even basic phishing lures can enable credential theft, surveillance, and long-term compromise via tools like AsyncRAT.
Introduction
Fake Social Security Administration) emails and websites typically have been used to deliver riskware such as ConnectWise ScreenConnect, a legitimate remote support tool that has seen widespread abuse in recent months. We have observed the same social engineering tactics being used to deliver AsyncRAT malware. As attackers continue to employ more sophisticated methods to evade detection, it's essential to analyze how AsyncRAT is being delivered and staged in these incidents.
The attack described in this report begins with a phishing email directing the victim to a website that prompts the download of a malicious ZIP file containing a script. Once executed, the script initiates a complex chain of events that ultimately results in AsyncRAT being deployed on the target machine.
AsyncRAT
AsyncRAT is an open source, modular, remote access tool commonly abused by cybercriminals to infect devices. Known for its adaptability and numerous variants, AsyncRAT has increasingly been identified in phishing campaigns. Analysis of the following campaign revealed common features associated with the malware, including keylogging, credential-stealing, and its ability to search for browser data. It is also capable of searching for and exfiltrating common cryptocurrency wallets, along with user data.
Phishing Email and Fake SSA Website
The attack begins with an email impersonating the Social Security Administration, urging the user to click a link to view their statement.
Immediately after downloading and instructing the user to open a zip file, the malicious website redirects the user to land on the legitimate www.ssa.gov site giving the impression of legitimacy.
First Stage
Inside the malicious zip file, we find a Windows Script File (wsf). This file type is associated with several scripting languages such as VBScript and JScript. Although this file contained heavily obfuscated lines of text, we successfully unraveled the content to reveal the target location of the next stage in the infection chain.
Second Stage Payload
The second stage consisted of a separate script hosted on the following URL:
The URL alone gives the impression that this downloads a simple image with the .jpg extension, ; however, if we use a utility like cURL (Client URL) to request the raw data from this address, we can see this is plain text in a very clear form of a scripting language:
Decoding the second stage of this attack reveals yet another stage in waiting. The script we’ve downloaded has two very interesting key aspects:
It will download a third stage; a ZIP archive. It will then decompress.
It will run another script contained in the third stage archive.
To make our analysis easier, we fixed the malicious script and ran only the parts to download the ZIP file we are interested in without performing any decompression or execution steps:
Finally, going through the mostly decoded second stage in the following image, we can see the extracted file to be executed is a VBScript named MessagingDataModel2.vbs.
Third Stage
The contents of the third-stage archive are shown here. Although the files display various extensions, they all contain plain text used to construct additional scripts and ultimately load a binary from encoded strings. Executing the MessagingDataModel2.vbs file triggers a chain of events involving all the files in this directory.
We found the number of layers and obfuscation used in this attack interesting. While these do serve a purpose for thwarting analysis and evading detection, these layers mostly call upon each other to ultimately load the final stage. We outline the execution chain:
Execution Chain
MessagingDataModel2.vbs
└── KBDADLM.bat
└── IndexedDbLegacy.ps1 (Creates scheduled task to execute NcdAutoSetup.vbs)
└── NcdAutoSetup.vbs
└── cmnicfg.vbs
└── speech-synthesis.vbs
└── wiatwain.vbs
└── NvContainerRecovery.bat
└── KvsiManagementApi.ps1
└── aspnet_regsql.exe (Final payload)
Persistence Mechanism
Threat actors go out of their way to ensure their scripts will run on the infected system. A common method to achieve this is by creating a scheduled task. We showcase how this is partially achieved by analyzing IndexedDbLegacy.ps1.
The result can be observed by simply accessing the Windows utility Task Scheduler.
Final Payload: AsyncRAT
KvsiManagementApi.ps1 loads and executes the final payload, leveraging the legitimate aspnet_regsql.exe process. Any encryption or obfuscation is removed at runtime, allowing for straightforward analysis. Inspection of the process confirmed the presence of AsyncRAT signatures.
Monitoring the network activity generated by this sample, we extracted the command-and-control (C2) server address communicating with the infected machine, providing further confirmation that the malware belongs to the AsyncRAT family.
Finally, analysis of the AsyncRAT process extracted and reconstructed from system memory confirms its known capabilities. This malware includes full keylogging and credential-stealing capabilities. It searches for browser data, cryptocurrency wallets, and any other valuable information it can harvest from the infected system.
Final Thoughts
While fake SSA emails typically deliver riskware such as ScreenConnect, recent activity suggests some threat actors have experimented with malware payloads like AsyncRAT. Although we have not observed a full shift toward using these remote access trojans, organizations should remain aware of these evolving tactics and their potential implications.
The observed attack chain shows the use of obfuscation, scripting, and staged payloads to evade detection and maintain persistence. While these tactics are meant to hide activity, they also create more opportunities for detection if security teams understand how the attackers operate.
Even basic phishing emails can lead to complex infections. AsyncRAT is more than just a surveillance tool, it enables credential theft, system control, and potential lateral movement. Its use in phishing campaigns underscores its utility in both initial access and long-term compromise posing a significant risk for organizations.
Defender Takeaways
Organizations should:
Educate their employees on phishing attacks that mimic trusted institutions.
Monitor for suspicious scheduled task creation and script execution.
Regularly inspect outbound connections to uncommon domains, particularly those using misleading names.
Leverage memory analysis and endpoint telemetry to detect post-execution behavior.