The Persistent Threat of AsyncRAT: A Comprehensive 11-Month Cyber Operation

Over the past 11 months, an active campaign has been underway to disseminate the malicious software AsyncRAT, targeting selective objectives. This campaign employs hundreds of unique loaders and over 100 domains.

AsyncRAT is an open-source remote access tool for Windows, available since 2019. It encompasses capabilities for remote command execution, keylogging, data exfiltration, and downloading additional payloads.

Cybercriminals actively utilize this tool, both in its original and modified forms, to gain access to target systems, steal files and data, and spread further malicious software.

Microsoft security researcher Igal Litcki discovered attacks conducted through hijacked emails last summer but was unable to obtain the final payload.

In September, the Alien Labs team at AT&T noticed “a surge in phishing emails targeted at specific individuals in particular companies” and initiated an investigation.

“Victims and their companies are meticulously selected to amplify the impact. Some of the identified targets manage key infrastructure in the USA,” stated AT&T Alien Labs.

The attacks commence with a malicious email containing a GIF attachment, leading to an SVG file that downloads obfuscated JavaScript and PowerShell scripts.

Once passing sandbox detection checks, the loader communicates with the Command and Control (C2) server and determines whether the victim is suitable for AsyncRAT infection.

The loader uses hard-coded C2 domains hosted on BitLaunch, a service that allows anonymous cryptocurrency payments, convenient for cyber criminals.

If the loader identifies that it’s in an analysis environment, it deploys false payloads, likely in an attempt to mislead security researchers and threat detection tools.

The sandbox evasion system used by the loader includes a series of checks performed using PowerShell commands that gather system information and calculate a score indicating whether it’s operating in a virtual machine.

AT&T Alien Labs researchers identified that in the last 11 months, the malefactor used 300 unique loader samples, each with slight variations in code structure, obfuscation, names, and variable values.

Another observation by the researchers is the use of a Domain Generation Algorithm (DGA) that generates new C2 domains every Sunday.

According to AT&T Alien Labs, the domains used in the campaign have a specific structure: they are in the top-level domain “top,” consist of eight random alphanumeric characters, are registered at Nicenic.net, use the South African country code, and are hosted on DigitalOcean.

The AT&T team decrypted the domain generation system’s logic and even predicted the domains to be generated and assigned to the malware in January 2024.

While researchers do not attribute the attacks to a specific adversary, they note that “the malefactors value discretion,” as evidenced by the efforts to obfuscate the samples.

The Alien Labs team provided a set of compromise indicators along with signatures for the Suricata software for network analysis and threat detection, which companies can use to identify intrusions associated with the AsyncRAT campaign.