Widespread Desert Dexter attack campaign spreads custom AsyncRAT variant

Attacks exploiting Facebook and Telegram to spread a custom variant of the AsyncRAT trojan have been deployed by newly emergent threat actor Desert Dexter against the Middle East and North Africa since September, according to The Hacker News.

Nearly 900 victims — most of whom are oil production, information technology, construction and agriculture employees in Libya, Saudi Arabia, Turkey, Egypt, Qatar, Tunisia, and the United Arab Emirates — have already been compromised by the campaign, which commenced with the creation of temporary Facebook accounts used to post ads with malicious links, a report from Positive Technologies showed.

Clicking on the ads triggers the download of a RAR archive with scripts facilitating the removal of different .NET processes, persistence, and system data exfiltration before the delivery of the AsyncRAT malware variant featuring an offline keylogger, as well as extensive cryptocurrency wallet and extension searching and Telegram bot communication capabilities.

"The tools used by Desert Dexter are not particularly sophisticated. However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices," said Positive Technologies researchers.