AsyncRAT

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Type
Remote Access Trojan
Origin
Likely Kuwait
First seen
8 January, 2019
Last seen
6 December, 2022
Global rank
9
Week rank
10
Month rank
12
IOCs
15066

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

IOCs

IP addresses
109.206.241.81
84.52.0.248
207.32.218.123
110.148.201.235
172.94.11.178
45.144.154.62
212.192.246.234
195.178.120.137
70.70.19.220
181.71.216.22
87.249.134.21
14.165.49.117
193.124.22.17
185.19.85.149
141.98.252.161
45.131.3.199
52.188.205.213
119.45.104.153
213.142.151.35
149.167.94.36
Hashes
ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
1540aee62470811929c9948afd0e078d2c7260d76bb448e206136c1e175bc039
e77ea383f781353cbc8f17911ce918634025e5bd1242591eceda11c8d135c7bd
b849210061c7a281cad816da9807f70a98ea8290d936d5df1649772851965cdd
4672ceafd2e11ff9aa26ecbb9094aed5d1a58e995f2a93ae054f46f6f56591f7
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
7877b648541ee30ac3fbc336a432bc05625f57942277c842f481b50ef071e209
198886528a13c0f7f03536bac4a5c449d3b21131887efa7595c9e9a56a2cfc0e
924e8702be619dee8a08bec380845c6c69e8652767023f1c083eb60c1699ccd9
036ebef5b4a2d221a1574365d87e989579227ce89abcc4ada44c373e3e50521d
a6f1575a17540db945d22247f41b80f00b8f1a5d85a63d0c2aa7fb9aa405bd3f
39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570
c27493721933e14114fd5124f2242b397381fed65f4761038d693de63bbd75bc
9de55ce6c63bfaf9327e85e636313f1180e1d5d5e005fd1803b0aa406e66ae92
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
43c9f6bbc0b4a6f820b3327960b9ce6b94381b5d70c589f580593f3fa01825cb
88849ac0e94232cbfc21660c667a9089d5f785cc5cfa51f96a768d220048c72d
992050e8d30f3b3b4b8676bcea52886f7e50eed9b6b294e9a2154a9ee7229635
f6b1c4209763611c826cfdd92fa4aecb1947811af402bd960044e3daa708ea22
e9ef2e6da5cdd29510d5325b6dcde6dd6951cda2ddc015f4533d3f925b8d02e6
Domains
frederikkempe.com
majul.com
ys.kic-software.de
2pop.ddns.net
5.tcp.ngrok.io
vcctggqm3t.dattolocal.net
0.tcp.eu.ngrok.io
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
helloworld.ddnsking.com
ser1.vietlime.pw
amblessed.ddns.net
microsoft.btc-crypto-rewards.cash
youngboss84.ddns.net
george777.ddns.net
nandos777.ddns.net
automicss.publicvm.com
dengsman.duckdns.org
cashout2018.ddnss.de
pm2bitcoin.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More