Malware analysis

How AsyncRAT is escaping security defenses

January 10, 2023 by Pedro Tavares

AsyncRat is one of the most popular and open-source remote access trojans. This piece of malware has been used for the last few months by professionals and cybercriminals in their activities. The more decent malicious wave of AsyncRat can escape security defenses by using a specially crafted .bat loader like other trojans, including URSA.

Netspoke initially published the research, and the high-level diagram of this campaign is depicted below. After the victim receives the phishing email and executes a non-detectable .bat file, it downloads from an AWS S3 bucket to the next malware stages. As can be seen, a PowerShell script creates a lot of files that complete the chain by executing the AsyncRAT itself.

High-level diagram of AsyncRAT malware wave 2022

Figure 1: High-level diagram of AsyncRAT malware wave 2022 (source).

As noted in Latin American trojans, criminals take advantage of different load stages using .bat files with a lot of code obfuscated and an amount of junk to escape the AV/EDR detection with success. AsyncRAT is also abusing this technique to start the infection chain, as seen in Figure 1, where no detections were found on VirusTotal.

Image of OutPut-10.bat file escaping AV detection

Figure 2: OutPut-10.bat file escaping AV detection (source).

As described by security researchers, “the file not being detected is likely due to a long string added in the file multiple times (more than 100) by the attacker.”

Image of a .bat file fully obfuscated with Japanese-language text.

Figure 3: .bat file fully obfuscated and with a lot of junk in the Japanese language.

The strings are nonsense; the main goal is only to spawn chaos, generate different file signatures, and thus escape detection with little pieces of code also obfuscated. The snippets of code were highlighted in the original analysis and demonstrate how this technique can be a potent approach for defeating static malware analysis of the most sophisticated security solutions present in the market these days.

In detail, the script invokes the IEX object and downloads from an S3 bucket a Powershell script responsible for executing the next malware stage.

Figure 4: .bat file source code deobfuscated and responsible for downloading the next malware stage.

AsyncRat intermediate stage

The PowerShell script named “x.png” downloaded from the previous stage is then responsible for creating different files, namely:

    • xx.vbs
    • Bin.vbs
    • xx.bat
    • Bin.bat; and
    • Bin.ps1

Depiction of files created in the intermediate stage of the AsyncRat infection chain.

Figure 5: Files created in the intermediate stage of the AsyncRat infection chain.

In detail, both the files have some lines of code which will execute the “Bin.ps1” file containing two Portable Executable files, namely: 1. an injector, and 2. the AsyncRat itself.

Image of a Powershell file containing additional executables.

Figure 6: Powershell file containing additional executables.

The injector is used to load into the memory the AsyncRAT file by taking advantage of the  Process Hollowing technique. As demonstrated, a new thread is created, put in a suspended state (pause), the target file mapped into the memory, and then executed.

Image of the Process Hollowing technique used by AsyncRat.

Figure 7: Process Hollowing technique used by AsyncRat.

When executed, criminals can control the infected machine using the AsyncRat GUI. The code is open-source and can be customized by criminals to their intent.

Image of the AsyncRAT GUI from GitHub.

Figure 8: AsyncRAT GUI from GitHub.

In general, the main functionalities of AsyncRat are:

  • The capacity to view and record the victims’ screen 
  • Keylogger capabilities
  • The upload, download and execution of additional payloads/files
  • The usage of a chat communication
  • Persistence mechanisms
  • Disable Windows Defender
  • Shutdown and reboot
  • Denial of service attack

How to stay safe against malware

While there are no immediate solutions for blocking malware in general, using security solutions at both the network and host-based layer is a crucial rule these days. Criminals use different techniques daily to bypass defense mechanisms. Utilizing a simple .bat file with a lot of junk and obfuscated lines of code, the injection of code into the memory and breaking the initial security barrier was possible. 

In this way, it is necessary to use software against cyber threats and to apply measures capable of monitoring a 360-degree perspective of the entire ecosystem.

 

Sources:

AsyncRat analysis, Netspoke

URSA trojan, Segurança-Informática

Posted: January 10, 2023
Pedro Tavares
View Profile

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt. In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.