AsyncRAT

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Type
Remote Access Trojan
Origin
Likely Kuwait
First seen
8 January, 2019
Last seen
1 April, 2023
Global rank
10
Week rank
7
Month rank
7
IOCs
16698

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

IOCs

IP addresses
109.206.241.81
84.52.0.248
207.32.218.123
110.148.201.235
172.94.11.178
45.144.154.62
212.192.246.234
70.70.19.220
181.71.216.22
14.165.49.117
193.124.22.17
185.19.85.149
141.98.252.161
45.131.3.199
52.188.205.213
213.142.151.35
149.167.94.36
82.120.52.78
38.17.51.104
5.149.252.51
Hashes
9f16a1c14c42dd99ea4a53280337f6c4cb6839df3e591df4803cfcd9a99f2b4b
aace4310718783c6b92c3bdeafa5e7531a479dc4ad0ec521a3cb0c1a03ca3e60
fa6ed407a949b1da6c2123ef67ef53280c4bb02bde373c62cad3ae228b5a4dd1
0b5b422c6799c38892f63784be12f3a5c3700838ea9a2c9a746784978d809ca2
6de6da13a518c92f77c4c079c14d33ef40b78a1ba59a49efccd479602e94e4ae
b8f3e006b55bd775c5c42c5b553c6e9c73606228616582ade1a59772629d2274
b93b6f677a941b530dbec8b1abe68c75315d2c1f536d21af726274810c2a10d6
3cea3eed68e11a7775d7ee3d3b1f3718127a0926cf3e36dd316b7e56b15f2462
d9a63b29312ca945b7e57af1972a2ba5cf8dbb7714122fd256e18930278ebcc1
6bc453d667c7adf2d703b4fc3169223e344d920eafa9073f48ba207156b7b924
43c13810dd332d8e1a70c18e72aa709bca90556c357adfc80eb325084449d16c
96391263b4f0284e2c947c2f72ce81c3e735a95b29dd432671c3d33a53640417
71368c79686ca9507d8d08a16917c59ab355135f96118cdbe74ee8a5ce32a985
a8e41cd74a66358ba482e68ae57eedea110561a55ae4858160b4d584c4061711
23eac34d8e359b2527ed4de7b51a1332fbb6887a6ffff30940af7ccda731de31
0d46fdb2bcfbb8039904f1b81bda4cce3a809532fcacf62959b5f23a70ca2b53
bfdac788d793bb603f6f6cc935f94ac22cfb7eadc3e01515f916906b83035db2
10d45af03665e22ccae8e83b89815d3a8bfca008bb437ff092dac95083f8372e
059c525a2a38721750f3957c3a58327ce14b4b1acfe1a3915304e2927fea2539
cc5d6b31ec47d745031ae08054666797f7df726c4971c70101063edd2ddd637c
Domains
christmas-ambient.at.playit.gg
int-caution.at.playit.gg
subscribe-nowhere.at.ply.gg
type-investments.at.ply.gg
holiday-village.at.ply.gg
graphics-absorption.at.ply.gg
off-stack.at.ply.gg
sure-ing.at.ply.gg
wrong-permanent.at.playit.gg
primary-comment.at.playit.gg
policy-generating.at.ply.gg
everything-forgot.at.ply.gg
horse-statutory.at.ply.gg
teen-mid.at.ply.gg
move-concepts.at.ply.gg
topics-yrs.at.ply.gg
makes-conferences.at.ply.gg
212.ip.ply.gg
error-november.at.ply.gg
sep-slideshow.at.ply.gg

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy