Credentials And Control Go Bye, Bye, Bye with AsyncRAT: What You Need to Know

Introduced in 2019, AsyncRAT is classified as a remote access trojan (RAT) that primarily functions as a tool for stealing credentials and loading various malware, including ransomware. This RAT boasts botnet capabilities and features a command and control (C2) interface, granting operators the ability to manipulate infected hosts from a remote location.

Despite its official GitHub page bearing a legal disclaimer and self-advertising as a legitimate open-source remote administration tool, the utilization of AsyncRAT is nearly exclusive to malevolent cyber threat actors.

Since its initial release, the adoption of AsyncRAT has been steadily on the rise, punctuated by intermittent surges in popularity. It has now achieved the status of a prominent threat. AsyncRAT has affiliations with other strains of malware; it originated from the QuasaRAT malware lineage and served as a foundational basis for the development of RevengeRAT and BoratRAT.

The deployment of AsyncRAT spans across a wide spectrum of threat actors, encompassing nation-state entities, apex ransomware groups, and emerging cybercriminal collectives in developing nations. These actors have launched campaigns against an extensive array of global victims.

Noteworthy instances involving AsyncRAT have targeted sectors including aerospace, hospitality, IT, business services, transportation, and various government organizations in every corner of the world.

AsyncRAT Delivery Methods

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

During 2021, AsyncRAT surfaced within a phishing initiative known as Operation Spalax. In a separate occurrence, it was deployed through an HCrypt loader. Subsequently, the initial instance of AsyncRAT loading through VBScripts was observed by researchers.

Progressing into 2022, a significantly altered iteration of the malware emerged, disseminated via spear phishing. This campaign utilized an attachment to fetch ISO files, rendering the strain adept at evading numerous security protocols.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT’s Impact

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Determining whether the initial unveiling of AsyncRAT was genuinely intended as an innocuous remote administration tool presents a challenge. The accompanying notes asserted educational motives, yet an alternate possibility exists: the creator might have ingeniously exploited a legitimate platform to promote malware.

Irrespective of the original purpose, the code initially shared on GitHub possessed sufficient malevolent functionalities to induce financial harm to enterprises. Subsequent to its introduction, the code underwent extensive revisions, accommodating diverse distribution techniques such as fileless deployment. As a result, this RAT has transformed into a profoundly perilous threat.

TTPs