_In this blog we describe the AsyncRAT C2 (_command & control_) Framework, which allows attackers to remotely monitor and control other computers over a secure encrypted link. We provide an overview of this threat, a technical analysis, and a method of detecting the malware using Qualys Multi-Vector EDR_.
## What is AsyncRAT C2 Framework?
[AsyncRAT C2 Framework]() is a Remote Access Trojan (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. Features include keylogging, audio/video recording, info-stealing, remote desktop control, password recovery, launching remote shell, webcam, injecting payloads, among other functions.
AsyncRAT has been used by various malware campaigns and threat actors in recent exploits. For example, as part of the [Operation Layover]() campaign that targeted the Aviation industry, [TA2541]() used infected Word documents with themes related to aviation, transportation, and travel to enable downloading the AsyncRAT payload. More recently, a campaign using social engineering techniques targeted [Thailand pass]() customers. Finally, the [Follina Outbreak in Australia]() delivered AsyncRAT as a malicious payload.
AsyncRAT can be detected and removed using [Qualys Multi-Vector EDR](), which is a service of the Qualys Cloud Platform.
## Threat Overview of AsyncRAT C2 Framework
**Aliases:** Async RAT
**Target Industry Verticals: **Aviation, Travel, Hospitality, among others
**Regions:** Asia, Latin America, North America, South America, Central America
**Infection Vectors:** Spam/phishing email and spear-phishing
**Objective of Malware: **Keylogging, data exfiltration, info-stealing, remote shell, remote code execution
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-1-Timeline.png)Figure 1: Timeline of major AsyncRAT incidents
## Technical Analysis of AsyncRAT C2 Framework
AsyncRATs main function enables modules, settings, and flow of code execution. The delay function defines the sleep duration before execution, which can be modified in each variant (e.g. 3 seconds, 5 seconds, 10 seconds, etc.) while building the payload (see Figure 2).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-2-Main.png)Figure 2: Main functions of AsyncRAT
### Initialize Settings Function
The Initialize Settings function enables all hardcoded configurations and settings that are predefined while building the payload (Fig. 3).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-3-Harcoded-Settings.png)Figure 3: Initialization of configuration settings
Figure 4 shows the Initialize Settings function, which also enables decryption of all configuration settings from the AES256 algorithm.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-4-InitializeSettings.png)Figure 4: Decryption of configuration settings
### Configuration Settings
Ports| 8080
—|—
Hosts| malware[.] com
Version| 1.5
Install| False
MTX (Mutex)| AsyncMutex_6SI8OkPnk
Pastebin| null
Anti| False
BDOS| False
### Verify Hash Function
The Verify Hash function reveals if the configurations are valid or not using the server certificate and server signature (Fig. 5).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-5-VerifyHash.png)Figure 5: Verify hash function reveals validity of configurations
### Client Algorithm
The client algorithm is a decryption routine for all the hardcoded configurations & settings. The [Rfc2898DeriveBytes]() API uses the PBKDF2 algorithm. Figure 6 shows the execution of this algorithm.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-6-Rfc2898.png)Figure 6: Client algorithm for decrypting hardcoded configurations and settings
Once all configuration settings are decrypted, AsyncRAT creates a mutex instance, which creates the mutex value of AsyncMutex_6SI8OkPnk” by default. This value can be modified while building new payloads (Fig. 7).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-7-DecryptionAlgorithm.png)Figure 7: Decryption routine
### Client Connection
Using the “WebClient.DownloadString” API, AsyncRAT can download additional resources and other payloads from pastebin or other domains. Figure 8 shows the code used for connecting to a domain via the specified port.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-8-DomainConnect.png)Figure 8: Enabling a C2 connection
### Client Helper
#### Anti-Analysis
AsyncRATs Client Helper includes an anti-analysis tool with multiple subfunctions such as:
* Detect Manufacturer
* Detect Sandbox
* IsSmallDisk
* IsXP
* Anti-Virus Check
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-9-Anti-Analysis.png)Figure 9: Anti-analysis tool enabled in AsyncRAT
#### Detect Debugger
Client Helper provides a Detect Debugger tool that uses the [**CheckRemoteDebuggerPresent**]() API to check if a process is being debugged (Fig. 10).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-10-DetectDebugger.png)Figure 10: Detect debugger tool in Client Helper
#### Detect Manufacturer
Client Helpers Detect Manufacturer tool enables anti-virtual machine (VM) techniques by using WMI queries and checks for keywords like “Microsoft Corporation”, “VIRTUAL”, “VMware”, or VirtualBox to detect VM environments.
For example, Figure 11 shows a query: Select * from Win32 ComputerSystem:
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-11-DetectManufacturer.png)Figure 11: Detect VM query in Client Helper
#### Detect Sandbox
The Detect Sandbox feature in AsyncRATs Client Helper uses the [**GetModuleHandle**]() API to load the SbieDll.dll module to detect a sandbox (Fig. 12).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-12-sandbox.png)Figure 12: Detect sandbox feature in Client Helper
#### IsSmallDisk
Another Client Helper tool called IsSmallDisk uses the [**Path.GetPathRoot**]() API to check for disk size, since most VMs would have a smaller disk size than that used in physical disk drives. Figure 13 shows how IsSmallDisk is enabled.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-13-Disk_Size.png)Figure 13: Detect disk size
#### IsXP
Another tool, IsXP, checks whether the operating system used is Windows XP or not. Figure 14 shows how this tool is enabled.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-14-IsXP.png)Figure 14: Detect Windows XP
#### Antivirus Check
The Antivirus Check tool in Client Helper uses WMI checks for which antivirus product is installed in the system. Figure 15 shows this being done with the following command: `[**\rootSecurityCenter2**]()`, `Select * AntiVirusProduct`.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-15-AntiVirus.png)Figure 15: Anti-virus check
Once AsyncRAT performs all the checks and collects desired information, it sends the data to its C2 server (Fig. 16).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-16-C2-Send_Info.png)Figure 16: Data exfiltration to C2 server
### Client Install
AsyncRATs Client Install feature maintains persistence checks as to whether the process has admin privileges. This occurs by creating a scheduled persistence check every time a user logs on. For example:
`Command: **/**c schtasks /create /f /sc onlogon /rl highest /tn`
If the process reveals there are no admin privileges, a run registry entry is created in reverse order: `Software\Microsoft\Windows\CurrentVersion\Run;` it then copies itself into a `%temp%` folder with a different name and executes from the temp folder via a bat script (Fig. 17).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-17-Schtasks.png)Figure 17: Enabling persistence checks for admin privileges
Figure 18 shows the bat script being dropped into `%temp%` folder. It self-deletes after execution.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-18-bat_script.png)Figure 18: Bat script
The Client Install tool then creates a run registry entry with the binary name and its full path (Fig. 19):
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-19-run-reg-key.png)Figure 19: Run key entry by Client Install tool
### Keylogger
AsyncRATs Keylogger feature uses the code of opensource project [LimeLogger]()**, **which uses APIs like GetKeyState and GetKeyboardLayout to capture the keystrokes on the victim machine (Fig. 20).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-20-LimeLogger.png)Figure 20: LimeLogger enabling keylogger feature
The keylogger takes a snapshot of the keystrokes captured on victim machine, which can be saved to text file. Figure 21 shows a few examples.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-21-keylooger.png)Figure 21: Captured keystrokes on victim machine
### Native API Methods
* [RtlSetProcessIsCritical](): Used to prevent the termination of a malware process; if it is terminated, the system will crash with a blue screen error
* Get Active Window: It uses the [**GetForegroundWindow**]() API to identify the window in which the user is currently working
* Prevent Sleep: Use of the [**SetThreadExecutionState**]() API prevents the system from entering sleep mode
### Server-Side Features
AsyncRATs server interface provides a client tab with details about the victim machine. Figure 22 shows this display.
1. IP Address of the victim machine
2. HWID: hardware ID of victim machine
3. Username
4. Operating system
5. Privileges: user / admin
6. AV software installed on the system
7. Active Window: window that a user is currently using
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-22-connection.png)Figure 22: Victim machine information
The AsyncRAT server interface also provides the logs tab, which shows a list of all commands executed and actions performed on victim machine (Fig. 23).
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-23-log.png)Figure 23: Logs of executed commands
Once the connection is established, AsyncRAT provides the option of dropping additional payload files into the memory or disk of the victim machine (Fig. 24).
* Memory: Uses reflective code loading and the RunPE method to load a file into memory
* Disk: Just drops an existing file into a particular folder path; if any file is dropped on a victims machine, or if any other commands are sent from the server, those actions are captured under the Tasks tab
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-24-SendFile.png)Fig 24: Drop files in Memory / Disk
### Monitoring Features
* Remote Desktop
* Keylogger
* File manager
* Process manager
* Webcam
### Miscellaneous Features & Plugins
* DOS attack
* .NET code execution
* Bot-killer
* Remote shell
* USB Spread
* Miner
* File Search
* Chat
* Send Message Box
* Visit website
* Get admin privileges
* Blank screen
* Disable defender
* Set wallpaper
## Detection of AsyncRAT using Qualys Multi-Vector EDR
[Qualys Multi-Vector Endpoint Detection and Response (EDR)]() is a dynamic detection and response service powered by the Qualys Cloud Platform. Qualys Multi-Vector EDR detects malware like AsyncRAT C2 Framework by unifying multiple context vectors to spot its insertion into a network endpoint. Qualys Cloud Platform provides asset management, vulnerability detection, policy compliance, patch management, and file integrity monitoring capabilities all delivered with a single agent and cloud-based delivery for a lower total cost of ownership.
Qualys Multi-Vector EDR provides real-time insights as an attacker attempts to breach an organizations cybersecurity controls. For example, Figure 25 shows a process tree for how AsyncRAT is creating a copy of itself into a `%temp%` folder.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-25-CMD-detetion.png)Figure 25: Qualys EDR process tree for AsyncRAT attack
Figure 26 shows the command line arguments of cmd.exe executing a bat script dropped into the `%temp%` folder.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-26-cmd-args-detection.png)Figure 26: Command line arguments of cmd.exe
Figures 27 and 28 show other insights from Qualys Multi-Vector EDR as it detects the AsyncRAT with a threat score of 9/10.
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-27-File_Drop-Detection.png)Figure 27: Process creation with Qualys Multi-Vector EDR ![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-28-Reg-Detection.png)Figure 28: Detection of run registry entry with Qualys Multi-Vector EDR
## MITRE ATT&CK® Mapping
For security organizations who have adopted the [MITRE ATT&CK]()® framework, Qualys Multi-Vector EDR maps directly to its knowledge base of adversary tactics and techniques based on real-world observations. The MITRE ATT&CK [knowledge base]() is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and Cybersecurity vendor community.
Here is a list of MITRE ATT&CK TTPS that an unmodified version of AsyncRAT implements:
* [Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 – Enterprise | MITRE ATT&CK®]()
* [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 – Enterprise | MITRE ATT&CK]()
* [Virtualization/Sandbox Evasion, Technique T1497 – Enterprise | MITRE ATT&CK®]()**__**
* [Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK®]()**__**
* [Exfiltration Over C2 Channel, Technique T1041 – Enterprise | MITRE ATT&CK®]()**__**
* [Acquire Infrastructure: Web Services, Sub-technique T1583.006 – Enterprise | MITRE ATT&CK®]()**__**
* [Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®]()**__**
* [Input Capture: Keylogging, Sub-technique T1056.001 – Enterprise | MITRE ATT&CK®]()**__**
* [Native API, Technique T1106 – Enterprise | MITRE ATT&CK®]()**__**
* [Remote Services: Remote Desktop Protocol, Sub-technique T1021.001 – Enterprise | MITRE ATT&CK®]()****
* [Video Capture, Technique T1125 – Enterprise | MITRE ATT&CK®]()**__**Read More