Instead the developers of this new technique have the IOS built inside the web browser using JavaScript that is inside the original attachment. There is no download, so no traffic is interrogated by network scanners and most antimalware agents ignore this HTML file as well. The actual delivery is much more complex than a simple download. The delivery method is via a Base64 Encoded string which contains a base64toblob function that uses the Base64 encoded string as an input. Here things are decoded and converted to a byte array. The byte array created the blob with a mime type of application/octet-stream.
In simplified terms, the JavaScript in the HTML attachment leverages a base64 encoded string to make the users think that IOS is being downloaded from a site. However, it is actually being created locally as part of the based64 string directly on the target system.
When the targeted user opens the ISO, it immediately gets mounted as a DVD drive, and executes the next part of the attack. This is typically a .bat or .vbs file that is part of the automount. We have more obfuscated code (PowerShell) that creates a scheduled task as a persistence mechanism, executes another dropped .vbs file, unpacks a Base64 encoded and compressed .NET Module, and finally injects the .NET module into memory.
Our new friend the .NET dropper now running safely in memory pulls down three more files. These three files are each more evasive tactics to hide what’s really going on. There is even a function to check for antimalware solutions on the device and create exclusions in Windows Defender. The injection process also cleans up after itself to avoid leaving artifacts for detection. Once we are through all the downloading fun the result is a nice shiny new copy of AsyncRAT on your device. It is likely that it could be used for other purposes as well and probably will be due to its currently low detection rates.
This technique is clearly designed to get around legacy antimalware and has a chance of getting around newer antimalware as well if it is not configured properly. This type of campaign shows how vital security culture training is. Everyone must think of security as a part of day-to-day operations. Being sent a file that you are not expecting should not trigger a “let’s download it” response. It should trigger a response of confirm the email and file via a different method. If it is not confirmed, report it and delete it.
Stay safe out there.