Security researchers have uncovered a sophisticated malware campaign, identified as DEAD#VAX, which uses a novel combination of legitimate system features and hosted files to deploy a powerful remote access trojan. The campaign employs Virtual Hard Disk files distributed via the InterPlanetary File System, a decentralized network, to bypass conventional security measures and install AsyncRAT on compromised systems.
Campaign Mechanics and Evasion Techniques
The attack chain begins with phishing emails containing links to malicious VHD files. These files are not hosted on traditional web servers but are instead fetched from the IPFS network, a peer-to-peer protocol for storing and sharing data. This method complicates tracking and blocking attempts by security tools.
Once a user mounts the VHD file, a heavily obfuscated Windows Script File executes. This script employs multiple layers of obfuscation and runtime decryption to hide its final payload. The final stage involves loading the AsyncRAT malware directly into the computer’s memory, a technique known as fileless execution, which leaves minimal forensic evidence on the disk.
Capabilities of the Deployed Malware
AsyncRAT is a well-known, open-source remote access tool that can be repurposed for malicious activities. Once installed, it grants attackers extensive control over an infected machine. This control includes the ability to log keystrokes, steal credentials and files, capture screenshots, and use the webcam and microphone for surveillance. The malware establishes a persistent backdoor, allowing for long-term access to the victim’s system and network.
Significance for cybersecurity Defenses
The DEAD#VAX campaign represents a significant evolution in threat actor tactics. By leveraging IPFS, attackers exploit a legitimate and increasingly popular technology often associated with Web3 and blockchain projects, making malicious infrastructure harder to dismantle. The use of VHD files is also notable, as they are trusted container formats commonly used in IT administration for deploying virtual machines.
This approach allows the malware to evade signature-based detection systems that scan for known malicious file types. The extreme script obfuscation and in-memory execution further challenge endpoint detection and response platforms that rely on analyzing disk-based artifacts.
Industry Response and Recommendations
Threat intelligence firms that disclosed the campaign have shared technical indicators of compromise, such as file hashes and network signatures, to help organizations defend against it. Security experts recommend a multi-layered defense strategy. This strategy includes user education to identify phishing attempts, application whitelisting to prevent unauthorized scripts from running, and the use of advanced security solutions capable of detecting anomalous behavior and fileless attacks.
Organizations are advised to monitor for suspicious network connections to IPFS gateways and to scrutinize the use of VHD files arriving via email or downloaded from untrusted sources. Regular patching of operating systems and software is also critical to close vulnerabilities that could be exploited in later stages of an attack.
Future Outlook and Mitigation
The discovery of the DEAD#VAX campaign is expected to lead to increased scrutiny of IPFS and similar decentralized networks as potential vectors for cybercrime. Security vendors are likely to enhance their products to better analyze traffic to and from these protocols. Furthermore, information security teams will need to adapt their threat models to account for the abuse of trusted file formats like VHD. Ongoing analysis by cybersecurity researchers will focus on tracking the campaign’s operators and identifying any connections to known threat groups, while law enforcement may attempt to investigate the infrastructure used, despite the challenges posed by decentralized hosting.
Source: GeekWire
