# AsyncRAT Crusade: Detections and Defense **[splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html](https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html)** SECURITY March 27, 2023 By [Splunk Threat Research Team March 27,](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) 2023 In January 2019 AsyncRAT was released as an open source remote administration tool project on [GitHub. AsyncRAT is a popular malware commodity and tools used by attackers](https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp) [and APT groups. Threat actors and adversaries used several interesting script loaders and](https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat) spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns. One prevalent campaign in the wild with this remote access trojan is the use of a Microsoft OneNote spear phishing attachment to load a .HTA file that downloads and runs an obfuscated batch script to execute the actual AsyncRAT code. Of the many features of AsyncRAT, it encrypts C2 communication protocol and contains several features via plugin including: Chat Communication File Search Keylogger Process Manager (Process list) Extract Browser Credentials View and Record Desktop Screen Run Miner ----- Send Files Remote Camera File Manager Get drivers list Upload files Delete folders and files Copy files Rename files and folders 7z archiving files Watch the video below to learn more about AsyncRAT OneNote campaign. Figure 1 shows a short summary infection chain of OneNote campaigns that are discussed further in this article, including other interesting phishing campaigns that load different scripts to execute AsyncRAT. ----- _Figure 1_ _[(For a larger resolution of this diagram visit this link)](https://imgur.com/a/NkbQ3Ea)_ [AsyncRAT has also been in the weekly TOP 10 malware trends tracker on app.any.run for](https://any.run/malware-trends/?utm_source=twitter&utm_medium=post&utm_campaign=statistics&utm_content=300123) the past few months. _[Reference (tweet)](https://twitter.com/anyrun_app/status/1617401778240102400?s=20&t=ED5KEvCMTz8_F2IjR61j8Q)_ ----- In the following sections, we explore a recent OneNote campaign, how to extract the AsyncRAT configuration, dive into common behaviors and review additional AsyncRAT script loaders. ## Technical Analysis ### OneNote Campaign T1566.004 - Phishing: Spear Phishing Attachment **Malicious OneNote Attachment** The [Splunk Threat Research Team (STRT) found several phishing email campaigns that](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) contain malicious .one (OneNote) attachments. The malicious OneNote document will lure the targeted user to click through the warning to view the document as seen in Figure 2. As soon as the user clicks, it will automatically load a malicious .HTA file to download the second stage of this infection chain. _Figure 2_ ### T1218.005 - System Binary Proxy Execution: Mshta **.HTA Downloader** ----- The .HTA file embedded to the .one file is responsible for downloading a .bat script that will decode the actual AsyncRAT malware. Simultaneously, another .one file will act as a decoy document to hide the execution of the malicious .bat script from the compromised user. Figure 3 is the code snippet of the .HTA file using a PowerShell cmdlet Invoke-Webrequest to download both the decoy .one file (%temp%\\invoice.one) and the .bat script stager (%temp%\\system32.bat) _Figure 3_ ### T1059.003 - Command and Scripting Interpreter: Windows Command Shell **.BAT Script Stager** The .bat script dropped in the%temp% folder is obfuscated to evade antivirus or other security products. The .bat script initializes a series of environment variables containing a string that will be concatenated at the end of its code to generate the PowerShell script that will decode, decrypt and load the actual payload. Figure 4 shows the last part of the .bat script code where it concatenates and executes the string initialized in several environment variables to generate the PowerShell script loader. _Figure 4_ ### T1059.001 - Command and Scripting Interpreter: PowerShell **PowerShell Loader** Figure 5.2 shows a screenshot of the commented portion of the .bat script, which is the encoded and encrypted payload. The PowerShell script generated and executed by the .bat script mentioned earlier performs the following steps to extract and execute the actual ----- malware payload. 1. It decodes the BASE64 encoded comment string shown in Figure 5.2 2. It uses AES cryptography namespace as well as the BASE64 encoded AES key and AES IV to decrypt the decoded chunk data. 3. Finally after decryption, it decompresses it using the GZIP algorithm to extract the malware executable and load it using the .NET Reflection library. Figure 5.1 is a simple flow diagram of how the PowerShell script executed by .bat script will decrypt AsyncRAT malware _Figure 5.1_ _Figure 5.2_ _Figure 5.3_ ### BAT Crypter AsyncRAT Extractor Tool The .batch script shown earlier is not only designed for AsyncRAT malware to load its code, but other malware groups such as QuasarRAT, DCRAT, Redline, Qakbot and more use this [batch script, which can be found in Malware Bazaar. In order to decrypt multiple malicious](https://bazaar.abuse.ch/browse.php?search=tag%3Abat) batch scripts and extract the actual payload automatically, the Splunk Threat Research Team [created a simple Python script “asyncrat_bat_extractor.py” that will accept a file or folder](https://github.com/tccontre/KnowledgeBase/blob/main/malware_re_tools/asyncrat-bat-crypter-extractor/asyncrat_bat_extractor.py) containing several batch files that need to be extracted as a parameter. Figure 6 shows a simple execution example of this tool and how it decrypts several batch files in the “test” folder and places all the extracted payloads in the “extracted_payload” folder. ----- _Figure 6_ Now let's look at the AsyncRAT TTP’s to recognize its behavior and for analytics development. ### AsyncRAT Common Checks AsyncRAT is a .NET RAT that is being used by several threat actors to compromise organizations. During our research, the STRT found common behaviors that assist with detecting AsyncRAT on the endpoint. **Persistence** AsyncRAT client will check if its code runs with administrative privileges. If yes, it will add Windows Scheduled Tasks using SchTasks.exe with highest runlevel privileges to execute the copy of itself in %appdata%. Figure 7.1 shows one of the STRT analytics to detect AsyncRAT Scheduled Tasks. ----- ``` | tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/rl *" Processes.process = "* highest *" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` _Figure 7.1_ [If AsyncRAT is not running with administrative privileges, it will use Registry Run Key](https://attack.mitre.org/techniques/T1547/001/) ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ``` for its persistence. Figure 7.2 shows the code snippet of AsyncRAT function that creates its persistence on a compromised host. _Figure 7.2_ ----- **Privilege Escalation** It will also adjust its process token privileges with the “SeDebugPrivilege” token to gain more privileges and control over other processes. Figure 8 shows the code adjusting its current process token to gain debug privilege escalation. _Figure 8_ **Defense Evasion** AsyncRAT has several defensive features to evade sandbox analysis or remote debugging of its code. The following features can be seen in Figure 9 with short descriptions below: **Functions** **Functionality** antiVM Check if its process is running in VirtualBox or VMware by running WMIC query “Select * from Win32_ComputerSystem” antiSandoxSbieDLL Check if Sbiedll.dll is loaded, which is a module of sandboxie sandbox CheckRemoteDebuggerPresent Check if remote debugger exist checkDriveSize Check if the size of the disk drive of the compromised host is small to recognize if it's running in a malware lab or sandbox ----- checkIFOSIsXP Check if its process is running in XP Windows Operating System _Figure 9_ Figure 10 is the code that drops a .bat script in the %temp% folder to delete itself as part of its defense evasion technique to clear its track after the execution and drop a copy of itself in the compromised host. _Figure 10_ **Command and Control** The last part is how communication is set up to the command and control server to download plugins or other payloads to the compromised host. AsyncRAT will decrypt its AES encrypted configuration data including the port (6606) and c2 ip-address (43.138[.]160.55) that will be used for C2 communication. Figure 11.1 is a screenshot of the decrypted config data of the AsyncRAT we analyzed, while Figure 11.2 is the code snippet for C2 server communication and C2 downloads. _Figure 11 1_ ----- _Figure 11.2_ ## Other AsyncRAT Script Loader Aside from the ongoing OneNote campaign, the STRT has also noticed another way threat actors deliver AsyncRAT malware using a phishing link campaign, ISO or via another malware downloader. **Abusing .rels xml - Template Injection** In February [2022, Microsoft pushed an update to disable macros by default in Office](https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-blocking-office-macros-by-default-once-again/) products. Because of this, many threat actors and adversaries worked to find another way to weaponize Microsoft Office documents. One of those techniques is abusing .rels file containing properties that define how the document is constructed. These properties can be used to reference remote resources via URLs. Figure 12.1 shows a screenshot of what this document looks like and how it abuses the footer2.xml rels properties of this Office document to connect to a malicious link to download another .xll, which then downloads AsyncRAT. _Figure 12.1_ ----- Figure 12.2 shows one of our AsyncRAT hunting analytics that detect this malicious Office document connecting to non-Microsoft Office domains. ``` `sysmon` EventCode=22 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\w "*\\OneNotem.exe","*\\OneNoteviewer.exe","*\\OneNoteim.exe") AND NOT(QueryName IN ("*.office.com", "*.office.net")) | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` _Figure 12.2_ **.VBS DynamicWrapperX Loader** We also found a .vbs script loader that writes dynwrapx.dll to disk to be able to use DynamicWrapperX Object to inject or execute the actual payload. This .vbs script was also analyzed in detail by the STRT in our previous blog “Detecting Malware Script Loaders using Remcos”. Figure 13 shows a short code snippet of the .vbs script that uses dynwrapx.dll to load a shellcode that executes the actual AsyncRAT. ----- _Figure 13_ **More PowerShell Script Loader** Another instance we found was an obfuscated PowerShell script being used by AsyncRAT to load its actual code. The PowerShell script will convert a large hex string to binary bytes which is the .NET compiled AsyncRAT that will be executed through .NET reflection Load Assembly Library. Figure 14 shows the code snippet of this PowerShell script highlighting the part of the hex string that will be converted to binary bytes of AsyncRAT. _Fi_ _14_ ----- This article shows the infection chain of a malicious OneNote Microsoft Office document. campaign that is rampant and widely used by different threat actors or APT’s to deliver a malicious payload or to gain initial access to the targeted host. This blog may help the SOC and security analysts to see how this OneNote Microsoft Office document. is being abused and how to add defensive measures against it. ## IOCs Hashes of samples we’ve analyzed in this article. **Description** **SHA256** .bat script [2421e2d7ed44911ce2d2f2d288a33c8650a2e5847d81b02911e3da31c292d03a](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [3d5e76babb87991d4abec7c048b34074ccc7c680f49639e0c55e5be0ee6df33d](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [8ee8a12754f344d0a1249f2de4d11044ebba8ba354df769d8d5019a639bb69c6](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [92dabfde91df07a3b2105e5972fbd2f5acf64b53465b60165a53e0795c1be8ba](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [bce00edede51b68cbf740e51b9f184bfd003d6ccb682cdcc661ecaa82dd67e42](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [c4952d905a0fb0466d45a58606635f0a2ac3b7c5cbb7e517118a9b695e3012e2](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) [f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc](https://www.virustotal.com/gui/file/37563d85d00f66f27dfbdea1978227cccb739702aca826a9bdf671fd26d6b6a4) AsyncRAT [3d8c723ceeaf346e9ea31d5449f4cbc37cf58993296a689d471c1e617a19d046](https://bazaar.abuse.ch/browse.php?search=sha256%3A3d8c723ceeaf346e9ea31d5449f4cbc37cf58993296a689d471c1e617a19d046) [8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5](https://bazaar.abuse.ch/browse.php?search=sha256%3A8d0c4f891f01840c2a9c6483554d661440bb6a81fe86f10d546c697fb9e958a5) [774e4d4af9175367bc3c7e08f4765778c58f1c66b46df88484a6aa829726f570](https://bazaar.abuse.ch/browse.php?search=sha256%3A774e4d4af9175367bc3c7e08f4765778c58f1c66b46df88484a6aa829726f570) OneNote [482a4763c8cf9c448fc851e6fe4554cc48abc563c49847ed040cdaee8a12003c](https://bazaar.abuse.ch/browse.php?search=sha256%3A482a4763c8cf9c448fc851e6fe4554cc48abc563c49847ed040cdaee8a12003c) Docx abuses .rels [1e862e875511f28643f75cb7a59e2d4ad642bd9aed4a328a9cbb5304d12aa83e](https://bazaar.abuse.ch/browse.php?search=sha256%3A1e862e875511f28643f75cb7a59e2d4ad642bd9aed4a328a9cbb5304d12aa83e) .HTA [819448a878bbdc0658257296ab0f4951f1536ec7a1e20f1fd3b19ed716cada88](https://bazaar.abuse.ch/browse.php?search=sha256%3A819448a878bbdc0658257296ab0f4951f1536ec7a1e20f1fd3b19ed716cada88) [3652342b1e8b67e1700c3ed428dcc7b7f9f32984ea296f7dcf544b7b50493dc3](https://bazaar.abuse.ch/browse.php?search=sha256%3A3652342b1e8b67e1700c3ed428dcc7b7f9f32984ea296f7dcf544b7b50493dc3) .vbs dynawrapx loader PowerShell loader ## Detections [c62ef09ac5b47ea517047fd3719bb2e93b37b97f4c7477198c4b4d2383c227b6](https://bazaar.abuse.ch/browse.php?search=sha256%3Ac62ef09ac5b47ea517047fd3719bb2e93b37b97f4c7477198c4b4d2383c227b6) [4dc5cd716d199967111e2a35aa260f336ea63d9f56619ca468ac80145f2fbe15](https://bazaar.abuse.ch/browse.php?search=sha256%3A4dc5cd716d199967111e2a35aa260f336ea63d9f56619ca468ac80145f2fbe15) The Splunk Threat Research Team has curated relevant detections and tagged them to the **AsyncRAT Analytic Story to help security analysts detect adversaries leveraging the** [AsyncRAT malware. This analytic story introduces 23 detections across MITRE ATT&CK](https://research.splunk.com/stories/asyncrat/) ----- techniques. For this release, we used and considered the relevant data endpoint telemetry sources such as: Process Execution & Command Line Logging Windows Security Event Id 4688, Sysmon, or any Common Information Model compliant EDR technology Windows Security Event Log Windows System Event Log Windows PowerShell Script Block Logging ## Automating with SOAR Playbooks All of the detections associated with this analytic story create entries in the Splunk Enterprise Security risk index by default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks can also be used in conjunction with some of the previously described analytics: **Playbook** **Description** Internal host WinRM Investigate Active Directory Reset Password This playbook performs a general investigation on key aspects of a Windows device using Windows Remote Management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault. This playbook resets the password of a potentially compromised user account. First, an analyst is prompted to evaluate the situation and choose whether to reset the account. If they approve, a strong password is generated and the password is reset. ## Why Should You Care? With this article, the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk customers to identify AsyncRAT malware. This article helps the community discover AsyncRAT tactics, techniques and procedures that are being used by several threat actors and adversaries (APT). By understanding its behaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to defend and respond against this threat. ## Learn More [You can find the latest content about security analytic stories on GitHub and in Splunkbase.](https://github.com/splunk/security-content/releases/tag/v3.12.0) [Splunk Security Essentials also has all these detections available via push update.](https://splunkbase.splunk.com/app/3435/) ----- For a full list of security content, check out the [release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC) ## Feedback Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the [Slack channel #security-research. Follow these instructions If you](https://splunk-usergroups.slack.com/) need an invitation to our Splunk user groups on Slack. ## Contributors [We would like to thank Teoderick Contreras for authoring this post and the entire Splunk](https://twitter.com/tccontre18) [Threat Research Team for their contributions: Michael Haag,](https://twitter.com/M_haggis) [Mauricio Velazco,](https://twitter.com/mvelazco) [Lou Stella,](https://twitter.com/ljstella) [Bhavin Patel,](https://twitter.com/hackpsy) [Rod Soto,](https://twitter.com/rodsoto) [Eric McGinnis, and](https://twitter.com/SnekCharmerr) [Patrick Bareiss.](https://twitter.com/bareiss_patrick) Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks [which are stored as datasets in the Attack Data repository.](https://github.com/splunk/attack_data/) Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of ----- industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. [Read more Splunk Security Content.](https://github.com/splunk/security_content) **Related Posts** -----