AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. The following Figure 1 is showing part of the screenshot of AsyncRAT Panel Menu.

as1.png

Figure1: AsyncRAT Panel Menu

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against AsyncRAT.

Behavioral Summary

Depending on the configuration taken from the attackers in AsyncRAT panel, the features it provides can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions.

The features are including: (Reference from here)

  • Client screen viewer & recorder
  • Client Antivirus & Integrity manager
  • Client SFTP access including upload & download
  • Client & Server chat window
  • Client Dynamic DNS & Multi-Server support (Configurable)
  • Client Password Recovery
  • Client JIT compiler
  • Client Keylogger
  • Client Anti Analysis (Configurable)
  • Server Controlled updates
  • Client Antimalware Start-up
  • Server Config Editor
  • Server multiport receiver (Configurable)
  • Server thumbnails
  • Server binary builder (Configurable)
  • Server obfuscator (Configurable)
  • And much more!

 

as2.png

Figure 2: Depends on the configuration, AsyncRAT can perform many harmful activities such as disabling Windows Defender. (Process Chart from CB Response)

Other than that, CB Defense will display the malware’s overall triggered TTPs.

as3.pngas4.png

If you are a Carbon Black customer looking to learn more about how to defend against his attack, click here. 

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1005 Collection Data from Local System
T1123 Collection Audio Capture
T1125 Collection Video Capture
T1082 Discovery System Information Discovery
T1083 Discovery File and Directory Discovery
T1087 Discovery Account Discovery
T1063 Discovery Security Software Discovery
T1107 Defense Evasion File Deletion
T1105 Command and Control, Lateral Movement Remote File Copy
T1043 Command and Control Commonly Used Ports
T1132 Command and Control Data Encoding
T1002 Exfiltration Data Compressed

 

Indicators of Compromise (IOCs)

Indicator Type Context
cb5d8d1841cea541cadb4f20a99706325d84b1eb94d18cc254d14600960d5ee2 SHA256 AsyncRAT
7088fe608444abff9268cc3af57f69e6 MD5 AsyncRAT