What Is AsyncRAT Malware?

AsyncRAT is a remote access trojan (RAT) released in 2019, primarily as a credential stealer and loader for other malware, including ransomware. AsyncRAT has botnet capabilities and a command and control (C2) interface allowing operators to control infected hosts remotely. Despite a legal disclaimer on its official GitHub page and self-promotion as a legitimate open-source remote administration tool, AsyncRAT is used almost exclusively by cybercriminal threat actors. 

The use of AsyncRAT has steadily grown and seen sharp bursts of popularity since its release. It is now considered a top threat. AsyncRAT is affiliated with other malware strains; it emerged from the QuasaRAT malware strain and was used as a starting point for RevengeRAT and BoratRAT.

AsyncRAT has been used by all types of threat actors, from nation-state and apex ransomware gangs to small emerging cybercrime groups in developing nations, in campaigns against an equally diverse set of victims globally. Notable campaigns leveraging AsyncRAT have targeted the aerospace, hospitality, IT, business services, and transportation sectors and government organizations across every region. 

AsyncRAT’s core features allow an attacker to:

Remotely record a target’s screen
Log and exfiltrate keystrokes
Import and execute additional malware
Exfiltrate files on an infected system
Maintain persistence and remotely reboot infected systems
Disable the processes of IT security products 
Launch botnet-enabled DOS attacks on internet-accessible targets

How AsyncRAT Works

AsyncRAT is distributed using tactics and techniques spanning the breadth of initial access methods. The most common infection vectors include malspam and phishing campaigns that spoof legitimate notifications (such as DHL shipment updates) with malicious file attachments capable of exploiting recently disclosed vulnerabilities (such as Follina), Microsoft Office documents with malicious VBA macros, as well as malicious Microsoft OneNote documents, OpenDocument (.odt) documents, and executable files using the .xxe file extension. 

Threat actors continue to develop and employ advanced and novel techniques for distributing AsyncRAT, including “fileless” injection—loading the main AsyncRAT binary into memory and executing it without placing a file onto the target system. For example, many AsyncRAT initial access attacks sequentially decode PowerShell scripts to avoid detection by advanced IT security products. AsyncRAT’s final payload is a .net executable payload written in the C# programming language that follows a predictable execution flow.

Once executed, AsyncRAT’s main binary decrypts its configuration settings using multi-stage AES-256-based decryption into base64 encoded strings accompanied with SHA-256 HMACs to verify the decrypted contents. These settings determine AsyncRAT’s behavior, including C2 configuration, whether to halt if a virtualization environment is detected, whether to establish persistence on the target, and whether to set its process as critical. In the Windows Operating System, if a “critical” process unexpectedly terminates, the operating system initiates a critical error and typically displays the “Blue Screen of Death” (BSOD). 

AsyncRAT then checks for its default mutex AsyncMutex_6SI8OkPnk to avoid installing itself twice on a host. Next, AsyncRAT initiates an encrypted connection to a cloud-hosted C2 server or a public website such as Pastebin.com. AsyncRAT’s C2 servers are often hosted on compromised Amazon S3 Buckets or Microsoft Azure instances. If connected to a C2 server, the attacker is given complete control over the infected device via AsyncRAT’s user administration application, which provides threat actors with push-button access to Async’s modules to execute their secondary objectives.

Signs of an AsyncRAT Attack

AsyncRAT infections can be difficult to detect. Although the malware has a default mutex AsyncMutex_6SI8OkPnk, threat actors usually alter this. Many initial access delivery methods used in AsyncRAT attacks are novel and found to evade detection by most anti-virus products. Also, since AsyncRAT’s infection vectors are known to be fileless, detecting AsyncRAT as it’s executed depends on advanced security products that can evaluate processes to detect anomalous system behavior. 

How to Prevent an AsyncRAT Attack

Wherever opportunities for initial access exist, APT groups will actively seek to exploit them. To prevent an AsyncRAT attack, mitigating all potential vectors for initial entry to an organization’s endpoints and network is imperative. This includes user awareness training to combat phishing and targeted spear-phishing attacks, employing advanced security products on all endpoints that can detect and respond to block the execution of malicious processes—including the detection of in-memory-only malware processes.

CylanceGUARD for Ransomware Protection

As a human-centric subscription-based 24x7x365 Managed XDR service, CylanceGUARD^®provides the expertise and support businesses need to prevent and protect against ransomware attacks. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry^® Security Services with AI-based Endpoint Protection (EPP) and on-device threat detection and remediation through CylanceENDPOINT^®. In short, CylanceGUARD provides businesses with the people and technology needed to protect the enterprise from the modern threat landscape.

Learn More

More Resources