INTRODUCTION
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions which includes keylogging, screen recording, data exfiltration, and executing additional malicious payload. AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.
SUMMARY OF THEREPORT
This report aims to dissect AsyncRAT ransomware, uncovering its functionalities to aid in threat mitigation and prevention strategies. We all explore its behavior, propagation methods, encryption techniques, and post-infection activities to gain valuable insights for cybersecurity professionals and researchers.
Static Malware Analysis
Inspecting the binary code or source code of the malware to identify characteristics, patterns, and behaviors without executing it.
Malware Sample:
The malware sample is a bin file named5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311.bin
A. bin file is not inherently executable but may contain binary data, such as machine code, that could be utilized by an executable. Therefore, the current analysis is limited to static methods. Further behavioral analysis will be conducted upon obtaining an executable version of AsyncRAT ransomware.
Static Malware Analysis
Inspecting the binary code or source code of the malware to identify characteristics, patterns, and behaviors without executing it.
File Hash
Extracting the SHA256 and MD5 file hashes using Hashcalc tool for and then cross-referencing these hashes with Virus Total for fingerprinting.
Screenshot:
Sha256:
5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
MD5:
4fa7b1eec1fc84eb3a13c29e5a37aae7
File Hash Reputation: https://www.virustotal.com/gui/file/5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
Strings Analysis.
The Functions used by the bin file is centered around multiple functions which include functions that can evade security solutions, making use of network capabilities, obfuscation techniques, file and memory modification operations and execution of other payloads or programs into a compromised system.
Details of the functions detected mapped to MITRE Framework:
Command Strings Observed
T1059| Command-Line Interface, cmd
/cschtasks /create /f /sc onlogon /rl highest /tn "
START"" "
DEL"
Install Failed:
Taskmgr.exe
ProcessHacker.exe
procexp.exe
Regedit.exe
T1089| Disabling Security Tools: taskkill.exe
PowerShell GUID: 3AE7B1AD-BFC8-4E77-AF1-B59DF15CACB7
Command Strings Interpretation:
The bin file leverages on PowerShell commands or command-line tools (cmd), to establish persistence (schtasks). This creates a scheduled task (START"") executed with elevated privileges on user logon, potentially launching a malicious process or script.
File Deletion: The deletion attempt (DEL) targets critical executables (Taskmgr.exe, ProcessHacker.exe, procexp.exe, Regedit.exe) used for system monitoring, process management, or registry editing, aiming to impede detection and analysis.
Security Tool Disabling: Use of taskkill.exe (T1089) indicates efforts to disable system security tools, likely to evade detection or impede response actions.
PowerShell GUID: The PowerShell GUID suggests a specific script or operation, possibly malicious, lacking association with legitimate Windows PowerShell GUIDs online. This reinforces suspicions of malicious intent, warranting further investigation for tracking and analysis.
MoreStatic Analysis:
Summary of the Malware Behavior:
The malware employs XOR encryption for obfuscation, incorporates a keylogger to capture sensitive user data, uses a mutex to prevent multiple instances for stealth, and implements hooks to monitor user activity, all aimed at stealing information and maintaining persistence on the infected system.
Referencing these schemas
1. http://schemas.microsoft.com/SMI/2016/WindowsSettings
2. http://schemas.microsoft.com/SMI/2015/WindowsSettings
This shows an attempt to change system settings or policies to facilitate its malicious activities, evade detection, or maintain persistence on the infected system.
Recommendations
- Detailed monitoring of PowerShell and WScript activities, particularly focusing on the use of "conhost–headless".
- Utilize Sysmon logs to detect AsyncRAT behavior, using community rules
- Enhance email filtering to detect and block obfuscated JavaScript and malicious OneNote attachments.
- Ensure all software, especially Microsoft Office, is updated to the latest versions to mitigate exploitation of vulnerabilities.
- Conduct regular training for users to recognize phishing attempts and avoid executing unknown attachments.
- Continuously update threat intelligence feeds to include the latest IOCs related to AsyncRAT.
By implementing these measures, organizations can improve their defenses against AsyncRAT and similar threats, ensuring a more secure environment.
.png)
.png)