In current months, safety researchers have turned their consideration to Asgard Protector, a complicated crypter employed by cybercriminals to obfuscate and deploy malicious payloads.
First marketed on underground boards in late 2023, Asgard Protector has gained traction amongst menace actors for its seamless integration with well-liked C2 platforms comparable to LummaC2.
By wrapping infostealers and distant entry trojans inside seemingly benign installers, Asgard Protector undermines conventional antivirus defenses and complicates incident response efforts.
The toolkit usually arrives as a Nullsoft self-extracting archive that, upon execution, unpacks a number of hidden elements into the short-term listing.
SpyCloud analysts famous that this installer disguises its batch script with mismatched file extensions—for instance, renaming a .bat file to Belgium.pst—and employs obfuscation strategies to cover its true objective.
As soon as extracted, the installer assembles an AutoIt interpreter binary in reminiscence, leveraging items from embedded CAB archives to reconstruct the executable earlier than launching the subsequent stage.
SpyCloud analysts recognized further layers of evasion throughout the embedded AutoIt scripts. Encrypted payloads are saved contained in the script and solely decrypted in reminiscence utilizing an RC4 routine.
The script then decompresses the binary utilizing the LZNT1 algorithm earlier than performing a course of injection into explorer.exe, successfully hiding the malicious course of underneath a trusted system host.
Asgard Protector advert, which appeared on XSS (Supply – SpyCloud)
A singular sandbox-detection mechanism additional complicates evaluation: the script points a ping to a randomly generated area and exits if any response is acquired, indicating a monitored or emulated community setting.
After this unpacking and validation, the malicious payload positive factors persistence by modifying autorun registry keys or deploying scheduled duties, relying on the operator’s configuration.
The mix of in-memory decryption, compression, and sandbox checks permits Asgard Protector to slide previous endpoint defenses and execute with out dropping a conventional executable on disk.
An infection Mechanism
Delving deeper into the an infection mechanism reveals how Asgard Protector engineers its protection evasion.
The Nullsoft installer script leverages a easy but efficient obfuscation:-
findstr /b /r /c:”MZ” *.dat > offset.txt
for /f “tokens=1” %%A in (offset.txt) do set /A begin=%%A
certutil -decode enter.cab temp.exe
fsutil file createnew stub.bin %begin%
extra +%begin% enter.cab >> stub.bin
The obfuscated .bat file utilized by Asgard Protector for set up (Supply – SpyCloud)
On this snippet, the script locates the “MZ” header inside a CAB archive to find out the place the PE header begins.
It then concatenates the extracted knowledge previous that offset to reconstruct the AutoIt binary. As soon as assembled, the script executes a companion AutoIt script that handles RC4 decryption and LZNT1 decompression earlier than injecting the ensuing payload into reminiscence.
This piecemeal meeting and execution mannequin permits the malware to evade signature-based antivirus engines and thwart disk-based inspection instruments.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
