Executive Summary

BGD e-GOV CIRT has identified a malicious cyber campaign involving AsyncRAT (Asynchronous Remote Access Trojan) infrastructure actively targeting Bangladesh. Threat intelligence and forensic analysis indicate that the domain ck44jili[.]com is functioning as a primary Command-and-Control (C2) node associated with an AsyncRAT malware operation.

The campaign combines malware delivery, remote access capabilities, and deceptive financial fraud tactics, where threat actors disguise malicious payloads as legitimate software while simultaneously operating fraudulent online gambling infrastructure targeting Bangladeshi users.

Of particular concern, the malicious infrastructure appears designed to socially engineer Bangladesh-based victims through localized payment mechanisms including bKash, Nagad, and Rocket, increasing the likelihood of successful financial fraud and malware infection.

Analysis confirms that the malware payload masquerades as a WinRAR utility executable (winrar-x64.exe), while internally functioning as AsyncRAT v0.5.8, enabling full remote control over infected systems.

Bangladesh Threat Context

The campaign presents elevated risk to Bangladesh due to localized targeting characteristics.

Observed indicators suggest:

·      Bangladesh-focused fraudulent web infrastructure

·      abuse of local financial transaction ecosystems

·      social engineering targeting local users

·      potential harvesting of credentials and financial information

Threat actors appear to leverage Bangladesh-specific payment channels, increasing victim trust and improving fraud success rates. Potentially affected sectors:

·      citizens / consumers

·      banking & fintech

·      telecom

·      e-commerce

·      government users

·      enterprise employees

·      education sector

Persistence Mechanism: The malware establishes persistence using Windows Scheduled Tasks.

Observed command pattern: This allows malware execution at every user logon.

</> cmd

schtasks /create /f /sc onlogon /rl highest /tn "winrar-x64"

Persistence indicator: Task Name: winrar-x64

Defense Evasion Techniques:

The malware employs anti-analysis techniques including:

WMI-Based Fingerprinting: Observed behaviors indicate:

·      environment discovery

·      virtualization detection

·      sandbox evasion

·      host profiling

IP Addresses: CDN/cloud-backed infrastructure may change dynamically

·      172.67.211.32

·      23.195.81.33

·      23.195.81.41

·      23.195.81.9

·      52.111.243.31

·      2600:4700:3031::ac43:d320

Detection Recommendations

Hunt for Domains: Monitor DNS and proxy logs for: ck44jili[.]com, mail.emb666[.]com

Hunt for Network Activity: Monitor outbound connections to: TCP 6606, TCP 7707, TCP 8808

Hunt for Scheduled Tasks: Check: schtasks /query; Look for: winrar-x64Hunt for File Execution

Hunt for File Execution: Search endpoints for: winrar-x64.exe

Recommended Mitigation Action

Immediate Response

·      block malicious domains

·      block suspicious ports

·      isolate infected systems

·      preserve forensic evidence

Endpoint Security

·      scan endpoints for AsyncRAT indicators

·      remove malicious scheduled tasks

·      reset compromised credentials

·      inspect startup persistence

Network Controls

·      restrict outbound unknown ports

·      enable DNS filtering

·      inspect proxy logs

·      block malicious infrastructure

User Awareness

Warn users against:

·      suspicious executable downloads

·      gambling-themed fraud sites

·      fake software installer

Download the Advisory as PDF