Analyzing AsyncRAT’s Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases

AsyncRAT scans specific folders within the application directory, browser extensions, and user data to identify folder names associated with particular crypto wallets, verifying their presence in the system.

The code snippet of the crypto wallet-checking prologue conducts queries for certain directories relating to the following wallet strings:

  • Atomic
  • Binance
  • BinanceEdge
  • BitcoinCore
  • BitKeep
  • BitPay
  • Coinbase
  • Coinomi
  • Electrum
  • Exodus
  • F2a
  • LedgerLive
  • Meta
  • Phantom
  • RabbyWallet
  • Ronin
  • TronLink
  • Trust

As of early 2023, AsyncRAT infections still persist, employing various file types, including PowerShell, Windows Script File (WSF), and VBScript (VBS) to bypass antivirus detection measures. Notably, consistently reports AsyncRAT ranking among the top ten weekly malware trends over the past few months.

Our recent investigations align with this trend, although there are nuanced differences in the dropped scripts, utilized domains, and observed injection processes. Despite these changes in tactics, one consistent aspect is the use of dynamic DNS (DDNS) services — such as those provided by No-IP and DuckDNS — for network infrastructure.

Analyzing the decrypted AsyncRAT payload, it becomes evident that the certificate employed is associated with AsyncRAT Server, a characteristic trait of AsyncRAT C&C traffic. Typically, the Subject Common Name is configured as either “AsyncRAT Server” or “AsyncRAT Server CA,” (as mentioned in our previous technical brief on SSL/TLS communications). Examining the Subject Common Name proves valuable in identifying AsyncRAT infections.

The malware configuration reveals the presence of the ID 3LOSH RAT. This implies that the payload may have utilized the 3LOSH crypter for obfuscation and stealth, potentially explaining the use of multiple scripts across different stages of the infection chain. The previous research from Talos showed similar instances where such infections leverage the elusiveness provided by crypters to enhance operational efficiency.

During our investigation of the AsyncRAT sample files, we identified code similarities between the injection code used for aspnet_compiler.exe and an open-source repository on GitHub.  Two notable distinctions emerged between the AsyncRAT sample obtained from our customer’s environment and the version on the GitHub repository. First, our acquired sample includes BoolWallets as one of the scanned cryptocurrency wallets. Second, the GitHub version lacks keylogging capabilities. The code we acquired, however, exhibits keylogging functionalities, resembling another sample found in the GitHub repository. These variances suggest that the attacker customized the GitHub code to align with their specific goals.

Dynamic DNS allows threat actors to swiftly change the IP address associated with a domain name, posing a challenge for security systems attempting to detect and block malicious activities. Our recent investigations have unveiled C&C domains registered under No-IP and Dynu Systems, Inc. One domain, 66escobar181[.]ddns[.]net, resolved to the IP address 185[.]150[.]25[.]181. VirusTotal analysis indicates multiple domains flagged as malicious, all converging to the same IP address.

Read More HERE