Analysis of AsyncRAT Malware Infection Methods
/ 3 min read
Quick take - The article by threat intelligence analyst WatchingRac outlines the methods of infection used by AsyncRAT malware, detailing two distinct distribution techniques involving obfuscated scripts and PowerShell commands, while also providing insights on malware analysis tools and Indicators of Compromise for threat identification.
Fast Facts
- AsyncRAT is a Remote Access Trojan (RAT) that enables attackers to remotely control infected devices for surveillance, data theft, and system manipulation.
- The article details two methods of AsyncRAT distribution via open directories, one using an obfuscated VBS script and the other a simpler VBS script with comments.
- Both methods involve downloading a disguised JPG file through PowerShell scripts, with the first method being multi-stage and the second simpler and two-stage.
- A scheduled task is created to ensure the VBS script runs every two minutes, maintaining the persistence of the infection.
- The article also discusses the use of ANY.RUN for malware analysis and lists Indicators of Compromise (IOCs) such as specific IP addresses and file hashes for threat identification.
AsyncRAT Infection Methods: An Analysis
Guest contributor WatchingRac, a threat intelligence analyst, has authored an article detailing the methods used to infect systems with AsyncRAT, a type of Remote Access Trojan (RAT) malware. AsyncRAT is designed to allow attackers to gain remote control over infected devices, facilitating activities such as surveillance, data theft, and manipulation of compromised systems.
Distribution Techniques
The analysis identifies two distinct open directories used for the distribution of AsyncRAT, each employing different techniques.
First Method
The first method features an open directory structured with a text file alongside a JPG file. The accompanying text file contains an obfuscated Visual Basic Script (VBS) that incorporates random variable names to obscure its function. This script is responsible for downloading the disguised JPG file, facilitated through an XML file that contains a PowerShell script. Following the extraction of the JPG file, the initial VBS script executes a subsequent script, which then deletes the XML and ZIP files to cover its tracks.
Second Method
In a similar vein, the second technique also involves an open directory containing a TXT file and a JPG file. The TXT file in this instance contains a more straightforward VBS script, complete with comments that make it easier to interpret. This script invokes the command line to execute PowerShell, which in turn downloads and runs the JPG file. The PowerShell script created during this process generates three critical files for the infection sequence:
- The first file executes EXE and DLL files related to AsyncRAT directly in memory.
- The second file activates PowerShell to run a previously generated file.
- The third file executes another file in a manner that conceals its operation.
Similar to the first method, a scheduled task is established to ensure the VBS script runs every two minutes, maintaining the persistence of the infection.
Analysis and Tools
The article further explores the analysis of the various scripts and files integral to the infection process. An investigation uncovered two IP addresses actively disseminating AsyncRAT using the aforementioned methods. The first method is characterized as a multi-stage process, while the second method is noted for its simpler two-stage approach.
Additionally, the article highlights the use of ANY.RUN, a tool that supports cybersecurity professionals in analyzing malware. It provides insights on how to leverage ANY.RUN’s interactive sandbox to conduct thorough malware analysis.
The article concludes by listing Indicators of Compromise (IOCs) associated with the AsyncRAT infections, including specific IP addresses and file hashes, which are critical for identifying and mitigating threats.
Original Source: Read the Full Article Here
