Go to listing page

AsyncRAT: The Anatomy of a Highly-Evasive Malware

AsyncRAT: The Anatomy of a Highly-Evasive Malware

Share Blog Post

Origin: 2019

Aliases: Async RAT

Targeted Sectors: IT, Hotel and Resorts, Enterprise services, Transportation 

Targeted Regions: North America, South America, Central America 

Motive: Data Theft

Common Infection Vectors: Phishing email, Spear-phishing, Exploit kits, Lure

Introduction

AsyncRAT, a tool developed in C# language, was originally designed to monitor computers remotely via secured connections. Though it was created only for educational purposes (still available on GitHub as open-source), the tool has been exploited maliciously as a RAT by the threat actors globally owing to its vast capabilities, such as keylogging, audio/video recording, info-stealing, remote desktop controlling, and more. A threat intelligence notification was also issued by the Threat Analysis Unit that warned against spear-phishing, malvertising, exploit kits, and other techniques leveraged by threat actors using AsyncRAT.

The malware was recently used against users applying for Thailand travel passes via Thailand Pass. Hackers could easily harvest sensitive customer information from the infected systems.

Different Capabilities of Malware

From stealing sensitive data and disabling the security software to installing additional malicious payloads and more, AsyncRAT offers multiple use cases and features to cybercriminals.

Some of the top features offered by the RAT for cybercriminals include screen viewer/recorder, antivirus/integrity manager, SFTP access including upload & download, client and server chat window, Dynamic DNS & Multi-Server support, Password Recovery, JIT compiler, Keylogger, Anti Analysis, Controlled updates, antimalware start-up. For the server-side, it offers a config editor, multiport receiver, thumbnails, binary builder, and obfuscator along with many additional features.

Attack Timeline and TTPs

For propagation, AsyncRAT has been used in multiple campaigns via various techniques, including malicious services. Moreover, cybercriminals have tactfully evolved the RAT’s capabilities over the period.

2019-2020

In early 2019, researchers uncovered Operation Comando which used phishing email as a primary delivery mechanism to drop AsyncRAT, among other RATs. In February 2020, security analysts revealed a Sidewinder campaign that used COVID-19 as bait in its spear-phishing emails to deliver modified versions of AsyncRAT. In March, a threat actor, dubbed TA2719, was found using AsyncRAT. During this attack, the attackers used recent lures impersonating local banks, law enforcement, and shipping services. In December 2020, the Chinese cybercriminal underground forums were found advertising numerous AsyncRAT. 

2021

In January 2021, hackers behind Operation Spalax were discovered deploying AsyncRAT in their phishing emails. In March, an HCrypt crypter service was marketed as a fully undetectable loader service that could deliver any RAT of the client’s choice, including AsyncRAT as the final payload. In May, a new spear-phishing campaign was found spoofing legitimate organizations while spreading ASyncRAT. The same month, another campaign used an AHK executable leading to different VBScripts loading RATs, including AsyncRAT. In August, a crypter known as Crypter 3LOSH rat was used to generate various stages of the highly modularized infection chain and delivered AsyncRAT, along with other commodity RATs. In November, a cryptocurrency campaign was found abusing a legitimate Russian RAT known as Safib Assistant using SpyAgent malware, which is known for downloading AsyncRAT. The attackers used an exploit for a DLL sideloading vulnerability to hide the RAT window from the users.

2022

In January 2022, a malicious campaign had used fake Liverpool Football Club sites to lure users into downloading DTPacker, which instead delivered AsyncRAT, along with a few other malware. In the same month, another campaign was using an email phishing tactic, with an HTML attachment, that downloaded ISO files to deliver AsyncRAT, without raising any security alarms. In April, a series of campaigns were using a new version of the Crypter 3LOSH RAT that was used to generate the obfuscated code. The attackers were spreading different commodity RATs, such as AsyncRAT.

Targets/Victimology

Threat actors deploying AsyncRAT are known to steal email login credentials and banking data and hijack other personal accounts, which can be manipulated to generate revenue.

It has been used in multiple campaigns by different threat actors across sectors. From 2019 to 2022, the RAT was used to target hospitality (hotel and resorts), IT, enterprise services, and transportation sectors. The targeted regions include North America, South America, and Central America.

A crypter-as-a-service named Snip3 was used to compromise aerospace and travel organizations with AsyncRAT. The malware was also used in an attack, dubbed Operation Spalax, that exclusively targeted government and private companies in Colombia. Operation Comando specifically targeted the hotel reservation systems to steal credit card details.

Affiliations

The RAT reportedly shares code and behavior similarities with RevengeRAT, which is used by multiple operators. A report from JPCERT/CC revealed that AsyncRAT was partially copied from the Quasar family malware. Moreover, according to a March 2022 report, it was revealed that AsyncRAT was used as the base malware for the development of Borat.

Prevention and Mitigation

With several new versions being rolled out in the past three years, organizations are recommended to use an up-to-date anti-malware solution to detect and prevent the known variants of this malware. A more smart approach would also involve leveraging threat intelligence to stay updated on evolving techniques of malware like AsyncRAT while gaining a better understanding and analysis of the threat for smarter decision-making. Security teams can automatically take action on the new threat indicators (IOCs) of AsyncRAT directly in their security stack at machine speed using advanced security automation.

Conclusion

Even though AsyncRat was created for educational purposes, today it is powerful enough to cause financial loss to organizations. Moreover, the source code of this RAT being open-source is enabling attackers to leverage its code to create custom or modified versions of malware. 

Indicators of Compromise

3LOSH Crypter
Stage 1 ISOs
4567abc4645a8f9414c6d642763d47a2678bf00fefe9e02677664b1c1b35c226
64836303a8eb58b7c5660211e085e3e42b2f4a068aeee88ede30eaa1b9cc4898
c174daa66473073d55fca74107642b43938c832b6c57a2e35c5b6998b89becc8
ed22a3a0314aa108d3e2a5f89fc90eb4d32a07a83e4a16a0e778ec3dae8e3406

Stage 1 VBS
0e1d80e1868067b61194539818ac5cd517fb17ab6644492b8d9926f7c400efbb
15ebbc7c74e36fdfb677c56fb94db874a29ed995548c226fc38bd2977f4462c6
1a072171f489d1ae560368b82eeaf6dc4797fcfc7c0a8e53a635311c33fd061d
1cecb3e057afa5ad2150c74e1db583d5fda9780cba9d0e3bbaf2c6a4a345173a
26716b84938ec82bd3847d6c45fa2b2b502d1475dc31e735fd443b7a7c70dd44
2b9229dd6d60c44b28afea7fddd30ec889583184ff51cba03b156d8a96a41c92
336d41e4e6380dccd03791f4b25c840de9268f750b7e9db1e842f5cea60342d5
4fb011aa84514cd8cf5896134383b327abe213d28f2bb4bff614e8beb03540b5
8595efa76a38e37ee168f811382cb46b801582cedc6a11b6399e50eaa3c92f2d
b8fb2174816014c9033236a62469308542aa02d76c9219f8569ac3a4e4db3b7e
c0a62c7b8100381f3562413a33b8edcdcf7996ce6663918a1f0e08a0a14c0632
c137cb7cc4bdd9fa2376b8fc4329b31a6cf5fbff2c094e820d73929e2215af94
df710408a6c93ad71c6bca3133ac6e767c269908be26352793b11b2fdee56f68
fd664f3203418b3188ef00dac1b17bf1c4322946797cfdcce6ff10c0f50ca560

Stage 2 Retrieval
hXXp[:]//ia801400[.]us[.]archive[.]org/26/items/auto_20220216/auto.txt
hXXps[:]//afomas[.]com/wp-admin/images/Feb_MA2.mp3
hXXps[:]//archive[.]org/download/auto_20220216/auto.txt
hXXps[:]//archive[.]org/download/my44_20220211/my44.txt
hXXps[:]//blankinstall[.]info/build/x.mp3
hXXps[:]//cdn[.]discordapp[.]com/attachments/777508363029184525/935168254744358952/log.mp3
hXXps[:]//cozumreklamkayseri[.]com/.Fainl.txt
hXXps[:]//isoeducationjo[.]com/.well-known/mo.mp3
hXXps[:]//kediricab[.]dindik[.]jatimprov[.]go[.]id/wp-admin/x.txt
hXXps[:]//onedrive[.]live[.]com/Download?cid=358166AEFCA69E90&resid=358166AEFCA69E90!124&authkey=AGvLNowfByqo5eo
hXXps[:]//usaymaboutique[.]com/assets/assets.txt
hXXps[:]//uxsingh[.]com/uxsingh.jpg
hXXps[:]//v3-fastupload[.]s3-accelerate[.]amazonaws[.]com/1643406871-d.mp3
hXXps[:]//www[.]atgame888[.]com/wp-admin/Feb_MO2.mp3
hXXps[:]//www[.]wordpressthemesall[.]com/wp-admin/Feb_MA2.mp3
hXXps[:]//y-menu[.]com/wp-admin/MA.txt

Stage 2 PowerShell
056ad376ac33b673ff42800ff76e46858a6962330c385764aee28a867561f1fa
08c71c3b57502a3fca75c1b99c26a41dadc4ff306faf4d4826776b158cb9a0ae
095157229bfad3a0e9a11be7c0b091a42ae4d25738bb3bfefb53b9321d223a6f
14e2b83be56385a2ac35417bcc0a7c7e2feb82e2cc80bdc99d83e64c6f46de74
1b994d16f099959bae626c1eaac7d0dd4118e54d09f717e05471c7637eea3a3b
1f1190402f67e1550f635954b97a0d1da066081a2b5d0036f5bac638762b695a
24cc7e002bbfb6abacfd457c8fc3163f999647aa7e84ac638928cb4b1c8ce696
33181a1409ebbe46bdf1e7f15654d7aab84a5f421e7990b87a2db39e108fc0fc
348482bf977f22e407b002abeca1da976efae9d90a7574fe902493e86eef9a87
3adcf1c2e12f0666d98e79cd0877d98ddc7f66a6f8b39a0507662d003ce1e90b
5078576d59522e8c145238e611d51e55fa89844c3cf7b7331ee02546cb77d59b
5c753437ffac8d5b6e0540916d1679959f2d256fff338cd037d3decee3cf1143
5e0e49c1faea3e1d0017d0ed76f09bb7fa50c8497e6535b9dc8c38dbf056e7f8
61c2da0eedb3628ec28a9b472d530bba555ba96fcde46fe234b6cfb6d4296440
65662716c873a01e216c8370eac2fe946a20f805a205e46d68f01a163f48104e
6b9eb5ffb1bf9a7a8d2a3e9a5ab4805324805bc7206f60ad039b0a6cd36d9940
6df53c77b343a597de566fa9e2ec1bcfbb25e4f7c7e7a104ed48887daee29533
7226d29a62bfc505a5cd9c8d13603237821caa5075bea311f095272334827e58
740805cc00932464b414afc340856d83a8b8fe4e42c3ad147a5b6c93aba124ef
76688a6433408e165ccdbbd9d2ba655c2684a59efe4a2c7c6c2a257c3111d175
794f760e12ecd8a2fe4a3229542403c6090b98886a0eb5166f9dbfc6972f6a11
7d823dffc0086373d053686fdb01308d8e18d403a66b1f1d64360aba391a2c15
91d5b515b82fc61a6fcc7d433a1fd2434d2d9ff0dbb4da9a25fb972ac700ac3a
939afa2234d2545a8a41c3ed2d3a2e1fd3d58f4586ac10d62f83e9a09bf33375
93e32c6fd08dbf798c0242f953eb0cb7b8470d4b0430ac4b2837d1e0382ab4d2
a6238fb73d70a1a6b050afc265306b5232b89793bd129a76b8daf7f5220fea61
b323f59257425527c4137c629f430944e8236950717e86f33158c94ef6260a1c
b89e4e8c11df06410f73ff1f4b545d0ef1bf561f14ddb95d2b04ec253911e922
bf275f267ea61ecb3d1b26f58df6d26be00eabe521d2c2801f9c788e084b2f72
c489721f00041183f9ff770d2274ec71325bf0211842e12e56218f5b55db980c
cc08a2291dcdf40026e70a28d4b1ce30909d53e5a03727207c8b86e63365f101
cde8a2b658ab6276143cc78a2c72487e963fefad522a7eaf218fd6920f57748a
f143993fb7625d0ed1b840a07a79004fcb112c6d02d9f1147d2495d4d75b41ee
f5dfb4f2a705382febc62f4fdb7ae2169a98898830325186663954d05903b8fb

Stage 3 Binaries
0303634830257bc5c3dfcf18c143286e212bd9034b29976e6349b05b5389c8a5
0e6a1e936ae9dac9856a86091c237537e72d2e8547596dab99e902ccd51be10f
10af68c3aac1062fa57580c6c5bc6b424cd7bdb1ce343d3b492797ce12225e5b
134547b06fbbed959078cea590d4b9ec0840dd243b666fec48ca17ca46f7483a
285f00996ccc5181b488a48cfb06a1c502f0bfb05d5e5dd9395ea08ff71931ee
30defa2c31255690a794a30a58c865b8782cb5f312b77aaa447ebe19f30a3f47
39502d41bc6ef654cf6de2e83e359efb8e165cf0207a05d34359df912a545ff3
3efd7f5f6baa977538b14c6bf2f8e6db5bf184a3426a1f5ae8e05055e4f74f13
56cc64a44c317a21a047d657d06206a81e1e69649734618996390adc6f94c3bb
5bd6ea920506cb3fb78bca78ea2b119549ed41747a67659b61ccd4ac8407f5e5
6153296afbae79678f9881e36cb06ad7ae8d24bd8b3a7e7f5232a035848429d3
6182c770438dccb334e03ea33cfacefd14ac7481de7b05725e62f5fe1c42b744
81e6bf9154859d5969dc52358a837b8a8bf935d4aa4a7fc9de9c4adbc9fd1a82
86f28e4f9082153f67ccad25fe90ab356d67ee3d37fdfd47cb9f1314d2ce0e27
8a8959f6db5e131c40d3adbe37f4e0a8bad4710839e37143787c8f4c217527ef
909548989b139eeabd58d8dc870597f564ffd7d1ce2e3ac51514d29bbaf29521
954012293bc09af071c459e75758497243722889b592881aed9b08cd14df187e
954a98f159cf1b3c284121c1e2d4c41402d94d9c0c2a88b66334108992917da6
a038fcf860aea94e4212ac5754b3e0f3d0dac8ca4254e4f7b2140ed45da089a1
b598aea572ab51e15dfd3242ec2f140ec72c7148678587b50e6a0ec10504990f
b5ceba46321ae47006571c16f7f5248b774d32bd88d991fd1a043e862c1c33d9
cd76236956f087fc11bc2aefe1b12f623f46a7f041ecb07b05aa699ba1f1b300
df63df19dfd21af2f3064d6577c0ef09a07cd7367f8242b9e252d5d59712c26f
eaeef725cb557891ae598da5cece9bf41bae46a65876491c835e3821b23f54a2
eb3e27121f8ff722665e647ca4eb72a648d72ab56dc07f07379ad1ae3035256d
efb02cc006bebad4e092e6c550a89fe055558ef24755a6b72c022ef669bec191
f7c9fa1c6da6b6f4eb7ebbf3c03da49a6bc4e083dd19b7419c0acbcd76e9251f
fbcbb275913b8765b2ba9bf96ec5e7b536483854c75f156bc68d3539df6469e6
fded0549398bec1ef6fab78b3219ef894349ec3cdd07b1bf3bdf1c7c6a0e303b

C2 Servers
141[.]95[.]89[.]79
3laallah[.]myvnc[.]com
94[.]130[.]207[.]164
anderione[.]com
invoice-update[.]myiphost[.]com
mekhocairos[.]linkpc[.]net
n[.]myvnc[.]com
python[.]blogsyte[.]com

DTPacker
AsyncRAT
SHA256
1312912d725d45bcd1b63922ec9a84abca7a8c9c669c13efbd03472c764be056 

Fake Cryptocurrency Websites
dopper (Safib Assistant RAT)
646b4d9f624018421a34cd1bfbea6d05f7e8edfa2fe53c685a12db4b523fee7a
c6c83dd920e718e710026a2e495d630b034210ee68279b9a6b29da06c5e8c2dd
443c9626400e3ffe8ac0be31a39618c80aec5a8da38c27ebab36984efe0b76df
4394f65f47ac54fc77bb1694910f7de2d9cb5c4a5078c89de97cffeb3787e699
8e846b9e5a96d548d83a4f91028bb05f85f16de0a93571b7e031cd972c7c5500

quartz.dll (Safib Assistant RAT`)
9aff582c27ea70eafebf3012cd181902b380b7de53b69da89149cd21ef2e5697
f69444522eec9fb4d6b4e021036b2d2dd7232453369bff3d60cee5a11efdd451
e93d9c6e6f63ee5c87acde68d94087428a6a73c4cd184ff610989a9f025feb83
0e2c211e4e6c48827eaf2ff614187c737b311e226960692e5ab9d16d939d7bab
de39e86626922c6ede00988f92d3420c3b8e05f660b259df8d1812d8f2fdac34

dropper (Teamviewer RAT)
0798b9ca2eb674dccd2cb373487f9bbd13067ff6a4e62de700b3f4d3a2dd1ca0
d33cc2d538e6f8b0720a7fadf6b24b38ac9b3a1df516fa09feb24054d9cdd14c
deb005e193cc1addddc38f34c5db2fae8e3fdce61e1e9790b30abe92ca58a09e
cac980acc37ac70069524ddfb9f266bf1989c76a251463b7e14f0e33dfec02ac
aa7909131c0a7e0539e6f4edfb7acf6d0430100199e5d990ad6fc0ecd4168dd8
f78670c71f29cf732e517e90ef5211b3d0988afead2721520954d8fa43a48ba4
4e659a7166337015669d3321abaa1692a7bbe5db4d5870b16fdc3f21929c80b9
40f185677c922597c7ebbf80e5d515a430e853efad4373f39b42cca95c86e8f5
c739b7dacab96a0f71e1bd06ad5cf5a373aba1f41054b849663c96b846af5224
d8d873362f60e2b9568ff764b061baa4ad8d7cd357ef60df7e52557d2afecc81

avicap32.dll (Teamviewer RAT)
e37e13f3b4074bf02e7d19f74bd6d3ff4f3d690e2ee8beec3c75c95634434e3b
8173e1d3c3ac431d07fa7795dabaf3e89ffc69b79992f3399ceda57526183be7
a2768b2c6fda3e27725503b20bce1e26f64108e743ea705eb0cc401eb848f42d
afd1e1655be0131ecc3dc68f8c4fd4e795a7a4d13f506c70105c486073d6745f
80910b9438d178bc1c9f751798a27163b73b907314f88139c432d520feed1c01
108bac9119b630bf7188a6b409ea667a581b357f0b5b0440b3e3173d43efd1fa
51f17dea64515d5a3a1a6b070fa9c5abb08c028ad9d116a49d796e354fcd68d3
2572e3a7673b7c3e8d0f9569fb42a4946ddd0e9ac8bdaaf29aebee9dd47c8194
108bac9119b630bf7188a6b409ea667a581b357f0b5b0440b3e3173d43efd1fa
2572e3a7673b7c3e8d0f9569fb42a4946ddd0e9ac8bdaaf29aebee9dd47c8194

clipper (clipboard replacer)
4d59e857c6923b6ead19109dbf591bbe93f3407153c992ad35fc6ed8969a34c3

Redline Stealer
375793b022141ba589325c050476f578f0602d9b244a941d98ec5eff7d6ec77e
2f1978e555a8b49775a6b7e0fd959bd2ee10f35f15f1f1f4a051c9d8ebd320fa
38a5b96fd07f03041f6eff913b85fc621fa314e1de87326accb00ee218c37756
ea44a8e50967e1680a28612762edc5ce39f178690d74cf75b7cec38401db48f0
094108df2b18400b628f725e50e0073676776a31ae271737405c39741d831e9f

URL
delivery domains
evvresponsefund[.]com
allincalisthenics[.]com
faraipyro[.]com
erin-nathaniel[.]com
bummerpost[.]com
neponsetflagfootballleague[.]com
estateplanningcentral[.]com
optimalfatmetabolism[.]com
toa-ara[.]com
nathanfraser[.]com
deiflo[.]com
allincalisthenics[.]com
nationalinsuranceappraisersregistry[.]com

C&C servers
bingoroll20[.]net
bingoroll21[.]net
bingoroll22[.]net
bingoroll23[.]net

 Tags

sensitive data
threat intelligence
operation spalax
phishing emails
thailand pass
snip3
ta2719
operation comando
security automation
asyncrat
keylogging
crypter 3losh rat
hcrypt

Posted on: May 09, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.