What We Do
How We Do
Get Started

Investigating AsyncRAT Deployment via ProjFUD Injector and HTML Smuggling

BY eSentire Threat Response Unit (TRU)

October 5, 2023 | 8 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

At the beginning of September 2023, our 24/7 SOC received an alert on the suspicious execution of the VBS file.

Upon completing a thorough investigation, the eSentire Threat Response Unit (TRU) identified the VBS file in question as malicious. This file contains code to retrieve AsyncRAT.

AsyncRAT is a Remote Access Tool (RAT) written to enable encrypted remote monitoring and control of remote systems and is commonly used for malicious purposes by threat actor(s) to gain access to systems.

The user received a phishing email containing an .htm file. This is a well-known technique previously employed by malware strains like Qakbot and AsyncRAT, known as HTML smuggling (T1027.006).

HTML smuggling is a technique used by attackers to hide and deliver malicious code to a victim's browser through seemingly benign HTML and JavaScript. The attack involves tricking a web application into loading and executing malicious JavaScript code.

The .htm file contains the JavaScript code shown below.

Figure 1: The content of .htm file

The variable “LBZQ” in the cleaned code contains a base64-encoded ZIP archive with a VBS file inside.

Figure 2: Cleaned up JavaScript code (.htm)

In summary, the script above performs the following actions:


We will investigate the content of the VBS file, as shown below.

Figure 3: Contents of the VBS file

The VBS file contains simple string replacements and splits used as obfuscation. Below is the deobfuscated script:

Figure 4: Deobfuscated VBS script

The script does the following:


The downloaded text file is a PowerShell script (a cleaned-up version can be seen in Figure 5) The PowerShell script performs the following actions:

Figure 5: Cleaned- up PowerShell script.


If the previous PowerShell script finds the presence of C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe binary on the infected host, it assumes that the host has McAfee AV installed and proceeds with executing the .M1.jpg or REExPLORE100.ps1 script.

The script contains two embedded binaries. The first binary contains an AsyncRAT payload:

Figure 6: AsyncRAT binary

Moreover, the configuration extractor confirms it’s indeed AsyncRAT:

Figure 7: Output from AsyncRAT configuration extractor (.M1.jpg)

The binary does not have anti-VM / persistence features enabled.

In the cleaned-up PowerShell code block shown in Figure 8 (.M1.jpg), we can see the following:

Figure 8: Cleaned up snippet of .M1.jpg

Let’s break down the “Execute’ method:

Figure 9: Reading information from the payload's PE header

Figure 10: Setting entry point and resuming the thread

It’s worth mentioning that DLL injector uses dynamic API loading via LoadApi method and string obfuscation for API functions responsible for process hollowing. The strings representing the library names and APIs are reversed in the ReturnParams method then are separated by the “[||]” string.

Figure 11: Dynamic API loading and string obfuscation


If the previous PowerShell script finds the presence of “C:\Program Files\Norton Security\isolate.ini” file on the infected host, it assumes that the host has Norton installed and proceeds with executing the .N1.jpg (REExPLORE100.ps1).

The .N1.jpg file contains two binaries in the form of a byte array instead of base64-encoded blobs as the previous one.

From the PowerShell script, we can learn the following:

ProjFUD (alosh_rat) injector was mentioned in various articles delivering RATs such as AgentTesla and AveMaria. The injector is similar to the previously mentioned DLL injector that uses process hollowing to inject the payload into aspnet_compiler.exe. The injector is obfuscated with Confuser.Core 1.5.0.

Figure 12: alosh_rat obfuscated code

Figure 13: alosh_rat deobfuscated code

We will proceed and extract the configuration from the second AsyncRAT payload:

Figure 14: AsyncRAT configuration from .N1.jpg payload

If none of the conditions matches – McAfee and Norton are not present on the infected host, the initial VBS script proceeds to retrieve and run .O1.jpg file, which is the same as the .M1.jpg file.

What did we do?

What can you learn from this TRU positive?

Recommendations from our Threat Response Unit (TRU) Team:

Indicators of Compromise









M1.jpg and O1.jpg


Payload hosting server








NewPE Injector


ProjFUD (alosh_rat)


AsyncRAT C2


AsyncRAT C2



eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire