AsyncRAT is a well known malware and widely active since last few years. However, the old variant of AysncRAT is completely destructive, in the latest variant the malware has advances its capabilities by including additional commands support from C2, clipper module, cryptostealer module, keylogger module and ability to prevent system from going to sleep. SonicWall RTDMI detects a JavaScript file which downloads and executes fileless AsyncRAT on the victim's machine.
The JavaScript contains garbage comments and keeps the name of the variables larger, to make the code illegible. It downloads a VBScript from a compromised website "hps://dnacapitalgroup.com/wp-includes/images/information.txt" to "%Temp%\VB", using the Windows utility tool BITSAdmin. The VBScript is launched using Windows Scripting Host by specifying the engine type as "VBScript" for executing script. Windows Script Host usually associates the script engine type based on the script extensions but the malware downloads and executes the VBScript without any extension that makes the requirement of providing the engine information explicitly:
The tiny and obfuscated VBScript launches a PowerShell script which further downloads and launches next layer PowerShell script:
The PowerShell script drops a batch script, a VBScript and 2 PowerShell scripts into "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV". This PowerShell script distributes the tasks among these dropped scripts to thwart detection from the security vendors. The PowerShell script starts the next layer PowerShell script TZOQCBINLOLHJQAPYIDAJV.ps1:
The PowerShell script schedules a task to execute the VBScript "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV.vbs" after every 3 minutes:
The obfuscated VBScript launches TZOQCBINLOLHJQAPYIDAJV.bat script:
The batch script hijacks the Common Object Model (COM) server by making the registry entry "Computer\HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32" to a not existing DLL and bypasses Antimalware Scan Interface (AMSI) scanning for the unpatched amsi.dll. The batch script executes the next layer PowerShell script YPSPPQWKQDKPVWZHQCIIQZ.ps1:
The PowerShell script contains a loader and AsyncRAT binary bytes, encrypted using TripleDES algorithm. The PowerShell script invokes method "C" from the loader binary by passing a file path for process hollowing and AsyncRAT binary's bytes array. The loader binary does the process hollowing in process "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" to execute the AsyncRAT on the victim's machine. AMSI scanning for loader and AsyncRAT bytes buffers does not work, in unfixed variants of amsi.dll as the malware have hijacked the COM server:
The old variant of AsyncRAT sends the victim's information to the C2 server, receives and executes commands. The AysncRAT is capable of receiving and executing plugin on the victim's machine. The latest variant keeps the old functionalities and additionally we have observed below enhancements:
The latest variant uses the same mutex name, used in the old variants "AsyncMutex_6SI8OkPnk". To prevent detection in sandbox, the malware delays the execution by sleeping 1000 milliseconds, 3 times in a loop and then decrypts configuration information using AES decryption and initializes the variables:
The malware contains code to check for anti analysis, anti VM, anti sandbox and make persistence entry but that is disabled using the flag values, similarly to the old variant. In this variant, the malware enables flag for offline Lime keylogger which logs the key strokes into "%temp%\log.tmp". The malware keeps the system in active state and prevents it from going to sleep, using Windows API SetThreadExecutionState by enabling flag values ES_CONTINUOUS, ES_SYSTEM_REQUIRED and ES_DISPLAY_REQUIRED:
The major change in this variant that we have observed, is inclusion of Clipper module which intends to steal crypto currencies. The Clipper module looks currency addressed using regular expression in the clipboard data which includes wallet addresses of Bitcoin, Ethereum and Tether, and replaces them with malware's wallet addresses:
The malware selects a random host and port from the list of host domains/IPs and ports respectively, and tries to connect with it. If the connection to the C2 server fails, the malware tries the next random combination, after a sleep of 5000 milliseconds. Once the connection with C2 sever is established, malware sends below information from the victim's machine:
The malware creates 3 threads, first thread keeps sending ping messages to ensure the C2 server that the client is alive, second thread counts the time interval for the connection and third thread reads data from the C2 server.
This variant has increased the supported commands compare to the old variants. The malware receives data in an encoded and compressed message format which is decoded to get the command. Based on the received command, the message may include additional data (eg. plugin bytes, killing processes names and URL to download payload etc.). The malware supports below commands and after executing the command, the result is sent back to the C2 server.
Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:
Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:
Share This Article
An Article By
An Article By
Security News
Security News