Summary
AsyncRAT is an open-source remote administration tool released on GitHub in January 2019. It’s designed to remotely control computers via encrypted connection, providing complete control via functionalities such as:
- View and record screen
- Keylogger
- Upload, download and execute files
- Chat communication
- Persistence mechanisms
- Disable Windows Defender
- Shutdown / Restart the machine
- DOS attack
Although the official GitHub repository contains a legal disclaimer, AsyncRAT is popularly used by attackers and even some APT groups. Netskope Threat Labs recently came across a FUD (Fully Undetected) Batch script which is downloading AsyncRAT from an Amazon S3 Bucket. At the time of our analysis, the Batch script wasn’t being detected by any of the antivirus engines on VirusTotal. The attacker used some simple techniques to make the script fly under the radar, as we will describe later in this analysis.
The downloaded file (second stage) is a PowerShell script that creates and uses multiple files to execute AsyncRAT, which is injected into a legitimate process.
In this blog post, we will analyze the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload.
Stage 01 – FUD Downloader
The first stage is a batch script that contains zero detections on VirusTotal.
Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.
The file not being detected is likely due to a long string added in the file multiple times (more than 100) by the attacker.
The string is always the same and is in Japanese. Doing a rough translation, this string seems to be nonsense words added by the attacker.
The malicious command is quite simple and it can be found within the nonsense strings. It’s slightly obfuscated, which probably contributes to the absence of detection.
The command downloads and executes the second stage via PowerShell from an Amazon S3 bucket.
Stage 02 – PowerShell
The file downloaded from the Amazon S3 bucket is a PowerShell script. As we demonstrated in the diagram in the summary section, this script creates multiple files to execute the last stage.
First, it creates a folder named “Not” in “C:\ProgramData”.
Then, it creates five files in this directory. The primary goal of this stage is to run another PowerShell script in a chained execution, described below:
- File “xx.vbs” is executed by the second stage;
- File “xx.vbs” executes file “xx.bat”;
- File “xx.bat” executes file “Bin.vbs” via scheduled task;
- File “Bin.vbs” executes file “Bin.bat”;
- And finally, “Bin.bat” executes “Bin.ps1” via PowerShell.