What Is AsyncRAT Malware?
AsyncRAT is a remote access trojan (RAT) released in 2019, primarily as a credential stealer and loader for other malware, including ransomware. AsyncRAT has botnet capabilities and a command and control (C2) interface allowing operators to control infected hosts remotely. Despite a legal disclaimer on its official GitHub page and self-promotion as a legitimate open-source remote administration tool, AsyncRAT is used almost exclusively by cybercriminal threat actors.
The use of AsyncRAT has steadily grown and seen sharp bursts of popularity since its release. It is now considered a top threat. AsyncRAT is affiliated with other malware strains; it emerged from the QuasaRAT malware strain and was used as a starting point for RevengeRAT and BoratRAT.
AsyncRAT has been used by all types of threat actors, from nation-state and apex ransomware gangs to small emerging cybercrime groups in developing nations, in campaigns against an equally diverse set of victims globally. Notable campaigns leveraging AsyncRAT have targeted the aerospace, hospitality, IT, business services, and transportation sectors and government organizations across every region.
AsyncRAT’s core features allow an attacker to:
- Remotely record a target’s screen
- Log and exfiltrate keystrokes
- Import and execute additional malware
- Exfiltrate files on an infected system
- Maintain persistence and remotely reboot infected systems
- Disable the processes of IT security products
- Launch botnet-enabled DOS attacks on internet-accessible targets
How AsyncRAT Works
AsyncRAT is distributed using tactics and techniques spanning the breadth of initial access methods. The most common infection vectors include malspam and phishing campaigns that spoof legitimate notifications (such as DHL shipment updates) with malicious file attachments capable of exploiting recently disclosed vulnerabilities (such as Follina), Microsoft Office documents with malicious VBA macros, as well as malicious Microsoft OneNote documents, OpenDocument (.odt) documents, and executable files using the .xxe file extension.
Threat actors continue to develop and employ advanced and novel techniques for distributing AsyncRAT, including “fileless” injection—loading the main AsyncRAT binary into memory and executing it without placing a file onto the target system. For example, many AsyncRAT initial access attacks sequentially decode PowerShell scripts to avoid detection by advanced IT security products. AsyncRAT’s final payload is a .net executable payload written in the C# programming language that follows a predictable execution flow.
Once executed, AsyncRAT’s main binary decrypts its configuration settings using multi-stage AES-256-based decryption into base64 encoded strings accompanied with SHA-256 HMACs to verify the decrypted contents. These settings determine AsyncRAT’s behavior, including C2 configuration, whether to halt if a virtualization environment is detected, whether to establish persistence on the target, and whether to set its process as critical. In the Windows Operating System, if a “critical” process unexpectedly terminates, the operating system initiates a critical error and typically displays the “Blue Screen of Death” (BSOD).
AsyncRAT then checks for its default mutex AsyncMutex_6SI8OkPnk to avoid installing itself twice on a host. Next, AsyncRAT initiates an encrypted connection to a cloud-hosted C2 server or a public website such as Pastebin.com. AsyncRAT’s C2 servers are often hosted on compromised Amazon S3 Buckets or Microsoft Azure instances. If connected to a C2 server, the attacker is given complete control over the infected device via AsyncRAT’s user administration application, which provides threat actors with push-button access to Async’s modules to execute their secondary objectives.