AsyncRAT’s Infection Tactics via Open Directories: Technical Analysis

ANY.RUN, a leader in interactive malware analysis and threat intelligence, has released a technical analysis authored by RacWatchin8872 documenting new techniques used in multi-stage attacks involving AsyncRAT. The report details how attackers exploit open directories to distribute AsyncRAT, examines the infection mechanisms, and offers indicators of compromise (IOCs) for identifying and mitigating this persistent threat.

Ā 

Overview

AsyncRAT is a type of Remote Access Trojan (RAT) malware designed to stealthily infiltrate systems and give attackers remote control over infected devices. It is commonly used for spying, data theft, and manipulation of compromised systems.Ā 

Recently, two open directories surfaced, each employing unique methods to distribute and infect victims with AsyncRAT. These techniques highlight the persistent threat posed by this malware and its diverse infection strategies.

Technique 1: Infiltration via Open Directory Structure

Open Directory

While investigating malicious open directories exposed to the internet, I discovered one with an unusual structure.Ā 

The directory contained the following files:

  • A text file with an extensive string that turned out to be a VBS script

  • A JPG file that was actually a disguised ZIP archive

Figure 1 – Open directory structure

Analysis of the Txt file

The text fileā€™s extensive string conceals an obfuscated VBS script. It uses random variables to store parts of the text that will be used to download the JPG file.

Figure 2 – Obfuscated VBS code

To make it easier to read we just need to make a few changes:

  1. Replace the variables with the actual text,

  2. Use intuitive names for variables that are used to write or download files.

Figure 3 – Deobfuscated VBS code

Now we see that the VBS script creates an XML file OMjRRRRRRRRRRRRRRRRRRRRvbK.xml located at C:UsersPublic. The content of the XML file contains a PowerShell script that downloads the disguised JPG file, saves it, and extracts it to the same directory.

Once extracted, the process continues by executing another script, TesKKKeLAvaYdAfbBS.vbs. Then, it cleans up by deleting both the XML and ZIP files.

Figure 4 – TesKKKeLAvaYdAfbBS.vbs obfuscated

To make it simple to read, we just need to make a few changes:

  1. Replace the variables with the actual text,

  2. Use intuitive names for variables that are in use,

  3. Delete all the If Statements that execute the same code regardless of the result.

By making these changes, we can transform a 34-line VBS script into a simpler 6-line version that is easier to read.

Figure 5 – Clean TesKKKeLAvaYdAfbBS.vbs

Analyze malware inside ANY.RUNā€™s Interactive Sandbox for free ā†’

Analysis of the Bat file

The BAT script is also obfuscated, but it is possible to understand its purpose by reading the values stored inside the variables vertically.

Uma imagem com texto, captura de ecrĆ£, software, Software de multimĆ©dia

DescriĆ§Ć£o gerada automaticamente

Figure 6 – KKKKKKllLavIOOOOOtesAA.bat file

Its role is to execute PowerShell without a prompt window. It initiates the next stage by running KiLOvBeRNdautESaatnENn.ps1

Analysis of the PowerShell (PS1) file

The PS1 file is a simple script that creates a scheduled task named ‘tMicNet Work40,’ which runs UhLQoyDAMaCUTPaE.vbs every 2 minutes.Ā 

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, software

DescriĆ§Ć£o gerada automaticamente

Figure 7 – Scheduled task created by PowerShell

Analysis of the Second VBS file

UhLQoyDAMaCUTPaE.vbs has the same structure as the previous VBS (TesKKKeLAvaYdAfbBS.vbs), so we can use the same technique to make the script easier to read and analyze.

Figure 8 – UhLQoyDAMaCUTPaE.vbs obfuscated

Using the same technique we will get this result:

Uma imagem com texto, captura de ecrĆ£, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 9 – UhLQoyDAMaCUTPaE.vbs deobfuscated

Analysis of The Second BAT file

aaaNOOTKiiiLAViiiiOOs.bat has the same structure as the previous BAT (KKKKKKllLavIOOOOOtesAA.bat), so by reading it vertically, we can figure out what the file does.

Uma imagem com texto, captura de ecrĆ£, software, Website

DescriĆ§Ć£o gerada automaticamente

Figure 10 – aaaNOOTKiiiLAViiiiOOs.bat

The BAT file executes the last stage, which is a Powershell file.

Analysis of the Last Stage

The final stage is obfuscated by changing the variable names to make the code harder to interpret. Instead of giving a straightforward name to the variable, they break the word into pieces, mix them up, and then call each position to reconstruct the variable name.Ā 

To simplify the analysis, we can deconstruct the code in a similar way, isolating each piece to make the script clearer and easier to understand.

Uma imagem com texto, captura de ecrĆ£, software

DescriĆ§Ć£o gerada automaticamente

Figure 11 ā€“ Analysis of the last stage

The first part of the code is a function that receives a string and converts it from hexadecimal to a 32-bit integer.Ā 

Uma imagem com texto, captura de ecrĆ£, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 12 – First part of the final stage

The second part of the code contains two variables with large strings. Both strings use a replace function to retrieve the correct value, which are then sent to the ‘PARSer’ for further processing.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, software

DescriĆ§Ć£o gerada automaticamente

Figure 13 ā€“ Second part of the last stage

The last part of the final stage is simply loading the files into memory to execute them.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 14 – Last part of the last stage

With the help of CyberChef, we can apply the same technique as shown in the second part of the final stage to retrieve the values inside the two variables and see what they really are:

The first variable is a DLL:

Figure 15 – AsyncRAT DLL

Ā 

The second variable is an EXE:

Figure 16 – AsyncRAT EXE

By running both in ANY.RUN sandbox, it is possible to gather information about the C2, ports, certificates, mutex, and more.

Uma imagem com texto, captura de ecrĆ£, nĆŗmero, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 17 – Text report generated by ANY.RUN sandbox

– Second Technique

Open Directory

The structure of the second open directory mirrors the first, containing two files: a TXT file and a JPG file.Ā 

The TXT file, with a shorter name, is a VBS script, while the JPG file hides a PowerShell script in disguise.

Uma imagem com texto, captura de ecrĆ£, software, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 18 – Open directory

Analysis of the Txt file

In this case, the TXT file contains a VBS script that is easier to interpret due to its comments. It includes an array storing commands to download the disguised JPG file.

Uma imagem com coser, padrĆ£o, tecido

DescriĆ§Ć£o gerada automaticamente

Figure 19- VBS script

To simplify the script further, we can delete the array and store all the array values in a single variable.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, file

DescriĆ§Ć£o gerada automaticamente

Figure 20 – Cleaning VBS script

Analysis of the Powershell file

The PowerShell file performs 2 main functions:

1.File creation and content writing – Creates three files essential to the infection process.

2.Scheduled task setup – Schedules a task to ensure repeated execution, thereby maintaining the AsyncRAT infection.

File Creation

The Powershell creates 3 files:

First file:

This obfuscated file stores and executes the values of EXE and DLL files related to AsyncRAT directly in memory.

Uma imagem com texto, captura de ecrĆ£, software, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 21 – First file created by the Powershell file

Ā 

After cleaning the file, it removes ‘%&%’ from both variables, converts them from hexadecimal, and then loads and executes them into memory.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, nĆŗmero

DescriĆ§Ć£o gerada automaticamente

Figure 22 ā€“ Loading file into memory

By carrying out the above-mentioned processes via CyberChef, we get the following results:

Figure 23 – AsyncRAT Exe

Figure 24 – AsyncRAT DLL

Second file:

The second file triggers PowerShell to execute the previous file (roox.ps1).

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, file

DescriĆ§Ć£o gerada automaticamente

Figure 25 ā€“ Second file created by Powershell file

Third file:

The third and final file runs the previous file roox.bat while keeping the execution hidden from the victim. This ensures that the infection process remains invisible and minimizes any visible indicators, making it harder for the victim to detect the ongoing activity.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, diagrama

DescriĆ§Ć£o gerada automaticamente

Figure 26- Third file created by Powershell file

Scheduled Task

The scheduled task, named thepiratMicrosoftEdgeUpdateTask, executes roox.vbs every two minutes, ensuring that the infection persists.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, nĆŗmero

DescriĆ§Ć£o gerada automaticamente

Figure 27 – Scheduled task named thepiratMicrosoftEdgeUpdateTask

Upon running the PowerShell script inside the ANY.RUN sandbox, we can see the files being created and executed. We can also gather more information about the command and control (C2) infrastructure.

Uma imagem com texto, captura de ecrĆ£, Tipo de letra, software

DescriĆ§Ć£o gerada automaticamente

Figure 28- Files created by the Powershell script

Figure 29 – C2 Ip and DNS

Conclusion

Our investigation uncovered two IPs actively spreading AsyncRAT through different methods. The first method follows a multi-stage process, employing several files and scripts to complete the infection.Ā 

Try all PRO features of ANY.RUNā€™s Interactive Sandbox for free ā†’

The second method uses only two stages, one of which involves generating files that are triggered by a scheduled task, as shown in the image below:

Uma imagem com texto, captura de ecrĆ£, diagrama, Tipo de letra

DescriĆ§Ć£o gerada automaticamente

Figure 30 – Difference between two methods

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ā 

Ad

No posts to display