Site icon API Security Blog

AsyncRAT C2 Framework: Overview, Technical Analysis & Detection

_In this blog we describe the AsyncRAT C2 (_command & control_) Framework, which allows attackers to remotely monitor and control other computers over a secure encrypted link. We provide an overview of this threat, a technical analysis, and a method of detecting the malware using Qualys Multi-Vector EDR_.

## What is AsyncRAT C2 Framework?

[AsyncRAT C2 Framework]() is a Remote Access Trojan (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. Features include keylogging, audio/video recording, info-stealing, remote desktop control, password recovery, launching remote shell, webcam, injecting payloads, among other functions.

AsyncRAT has been used by various malware campaigns and threat actors in recent exploits. For example, as part of the [Operation Layover]() campaign that targeted the Aviation industry, [TA2541]() used infected Word documents with themes related to aviation, transportation, and travel to enable downloading the AsyncRAT payload. More recently, a campaign using social engineering techniques targeted [Thailand pass]() customers. Finally, the [Follina Outbreak in Australia]() delivered AsyncRAT as a malicious payload.

AsyncRAT can be detected and removed using [Qualys Multi-Vector EDR](), which is a service of the Qualys Cloud Platform.

## Threat Overview of AsyncRAT C2 Framework

**Aliases:** Async RAT

**Target Industry Verticals: **Aviation, Travel, Hospitality, among others

**Regions:** Asia, Latin America, North America, South America, Central America

**Infection Vectors:** Spam/phishing email and spear-phishing

**Objective of Malware: **Keylogging, data exfiltration, info-stealing, remote shell, remote code execution

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-1-Timeline.png)Figure 1: Timeline of major AsyncRAT incidents

## Technical Analysis of AsyncRAT C2 Framework

AsyncRAT’s main function enables modules, settings, and flow of code execution. The delay function defines the sleep duration before execution, which can be modified in each variant (e.g. 3 seconds, 5 seconds, 10 seconds, etc.) while building the payload (see Figure 2).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-2-Main.png)Figure 2: Main functions of AsyncRAT

### Initialize Settings Function

The Initialize Settings function enables all hardcoded configurations and settings that are predefined while building the payload (Fig. 3).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-3-Harcoded-Settings.png)Figure 3: Initialization of configuration settings

Figure 4 shows the Initialize Settings function, which also enables decryption of all configuration settings from the AES256 algorithm.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-4-InitializeSettings.png)Figure 4: Decryption of configuration settings

### Configuration Settings

Ports| 8080
—|—
Hosts| malware[.] com
Version| 1.5
Install| False
MTX (Mutex)| AsyncMutex_6SI8OkPnk
Pastebin| null
Anti| False
BDOS| False

### Verify Hash Function

The Verify Hash function reveals if the configurations are valid or not using the server certificate and server signature (Fig. 5).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-5-VerifyHash.png)Figure 5: Verify hash function reveals validity of configurations

### Client Algorithm

The client algorithm is a decryption routine for all the hardcoded configurations & settings. The [Rfc2898DeriveBytes]() API uses the PBKDF2 algorithm. Figure 6 shows the execution of this algorithm.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-6-Rfc2898.png)Figure 6: Client algorithm for decrypting hardcoded configurations and settings

Once all configuration settings are decrypted, AsyncRAT creates a mutex instance, which creates the mutex value of “AsyncMutex_6SI8OkPnk” by default. This value can be modified while building new payloads (Fig. 7).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-7-DecryptionAlgorithm.png)Figure 7: Decryption routine

### Client Connection

Using the “WebClient.DownloadString” API, AsyncRAT can download additional resources and other payloads from pastebin or other domains. Figure 8 shows the code used for connecting to a domain via the specified port.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-8-DomainConnect.png)Figure 8: Enabling a C2 connection

### Client Helper

#### Anti-Analysis

AsyncRAT’s Client Helper includes an anti-analysis tool with multiple subfunctions such as:

* Detect Manufacturer
* Detect Sandbox
* IsSmallDisk
* IsXP
* Anti-Virus Check
![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-9-Anti-Analysis.png)Figure 9: Anti-analysis tool enabled in AsyncRAT

#### Detect Debugger

Client Helper provides a Detect Debugger tool that uses the “[**CheckRemoteDebuggerPresent**]()” API to check if a process is being debugged (Fig. 10).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-10-DetectDebugger.png)Figure 10: Detect debugger tool in Client Helper

#### Detect Manufacturer

Client Helper’s Detect Manufacturer tool enables anti-virtual machine (VM) techniques by using WMI queries and checks for keywords like “Microsoft Corporation”, “VIRTUAL”, “VMware”, or “VirtualBox” to detect VM environments.

For example, Figure 11 shows a query: “Select * from Win32 ComputerSystem”:

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-11-DetectManufacturer.png)Figure 11: Detect VM query in Client Helper

#### Detect Sandbox

The Detect Sandbox feature in AsyncRAT’s Client Helper uses the “[**GetModuleHandle**]()” API to load the “SbieDll.dll” module to detect a sandbox (Fig. 12).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-12-sandbox.png)Figure 12: Detect sandbox feature in Client Helper

#### IsSmallDisk

Another Client Helper tool called IsSmallDisk uses the “[**Path.GetPathRoot**]()” API to check for disk size, since most VMs would have a smaller disk size than that used in physical disk drives. Figure 13 shows how IsSmallDisk is enabled.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-13-Disk_Size.png)Figure 13: Detect disk size

#### IsXP

Another tool, IsXP, checks whether the operating system used is Windows XP or not. Figure 14 shows how this tool is enabled.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-14-IsXP.png)Figure 14: Detect Windows XP

#### Antivirus Check

The Antivirus Check tool in Client Helper uses WMI checks for which antivirus product is installed in the system. Figure 15 shows this being done with the following command: `“[**\rootSecurityCenter2**]()”`, `“Select * AntiVirusProduct”`.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-15-AntiVirus.png)Figure 15: Anti-virus check

Once AsyncRAT performs all the checks and collects desired information, it sends the data to its C2 server (Fig. 16).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-16-C2-Send_Info.png)Figure 16: Data exfiltration to C2 server

### Client Install

AsyncRAT’s Client Install feature maintains persistence checks as to whether the process has admin privileges. This occurs by creating a scheduled persistence check every time a user logs on. For example:

`Command: “**/**c schtasks /create /f /sc onlogon /rl highest /tn”`

If the process reveals there are no admin privileges, a run registry entry is created in reverse order: `“Software\Microsoft\Windows\CurrentVersion\Run”;` it then copies itself into a `“%temp%”` folder with a different name and executes from the temp folder via a bat script (Fig. 17).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-17-Schtasks.png)Figure 17: Enabling persistence checks for admin privileges

Figure 18 shows the bat script being dropped into `“%temp%”` folder. It self-deletes after execution.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-18-bat_script.png)Figure 18: Bat script

The Client Install tool then creates a run registry entry with the binary name and its full path (Fig. 19):

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-19-run-reg-key.png)Figure 19: Run key entry by Client Install tool

### Keylogger

AsyncRAT’s Keylogger feature uses the code of opensource project [LimeLogger]()**, **which uses API’s like “GetKeyState” and “GetKeyboardLayout” to capture the keystrokes on the victim machine (Fig. 20).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-20-LimeLogger.png)Figure 20: LimeLogger enabling keylogger feature

The keylogger takes a snapshot of the keystrokes captured on victim machine, which can be saved to text file. Figure 21 shows a few examples.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-21-keylooger.png)Figure 21: Captured keystrokes on victim machine

### Native API Methods

* [RtlSetProcessIsCritical](): Used to prevent the termination of a malware process; if it is terminated, the system will crash with a blue screen error
* Get Active Window: It uses the “[**GetForegroundWindow**]()” API to identify the window in which the user is currently working
* Prevent Sleep: Use of the “[**SetThreadExecutionState**]()” API prevents the system from entering sleep mode

### Server-Side Features

AsyncRAT’s server interface provides a client tab with details about the victim machine. Figure 22 shows this display.

1. IP Address of the victim machine
2. HWID: hardware ID of victim machine
3. Username
4. Operating system
5. Privileges: user / admin
6. AV software installed on the system
7. Active Window: window that a user is currently using

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-22-connection.png)Figure 22: Victim machine information

The AsyncRAT server interface also provides the logs tab, which shows a list of all commands executed and actions performed on victim machine (Fig. 23).

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-23-log.png)Figure 23: Logs of executed commands

Once the connection is established, AsyncRAT provides the option of dropping additional payload files into the memory or disk of the victim machine (Fig. 24).

* Memory: Uses reflective code loading and the RunPE method to load a file into memory
* Disk: Just drops an existing file into a particular folder path; if any file is dropped on a victim’s machine, or if any other commands are sent from the server, those actions are captured under the Tasks tab

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-24-SendFile.png)Fig 24: Drop files in Memory / Disk

### Monitoring Features

* Remote Desktop
* Keylogger
* File manager
* Process manager
* Webcam

### Miscellaneous Features & Plugins

* DOS attack
* .NET code execution
* Bot-killer
* Remote shell
* USB Spread
* Miner
* File Search
* Chat
* Send Message Box
* Visit website
* Get admin privileges
* Blank screen
* Disable defender
* Set wallpaper

## Detection of AsyncRAT using Qualys Multi-Vector EDR

[Qualys Multi-Vector Endpoint Detection and Response (EDR)]() is a dynamic detection and response service powered by the Qualys Cloud Platform. Qualys Multi-Vector EDR detects malware like AsyncRAT C2 Framework by unifying multiple context vectors to spot its insertion into a network endpoint. Qualys Cloud Platform provides asset management, vulnerability detection, policy compliance, patch management, and file integrity monitoring capabilities – all delivered with a single agent and cloud-based delivery for a lower total cost of ownership.

Qualys Multi-Vector EDR provides real-time insights as an attacker attempts to breach an organization’s cybersecurity controls. For example, Figure 25 shows a process tree for how AsyncRAT is creating a copy of itself into a `“%temp%”` folder.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-25-CMD-detetion.png)Figure 25: Qualys EDR process tree for AsyncRAT attack

Figure 26 shows the command line arguments of cmd.exe executing a bat script dropped into the `“%temp%”` folder.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-26-cmd-args-detection.png)Figure 26: Command line arguments of cmd.exe

Figures 27 and 28 show other insights from Qualys Multi-Vector EDR as it detects the AsyncRAT with a threat score of 9/10.

![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-27-File_Drop-Detection.png)Figure 27: Process creation with Qualys Multi-Vector EDR ![](https://blog.qualys.com/wp-content/uploads/2022/08/Figure-28-Reg-Detection.png)Figure 28: Detection of run registry entry with Qualys Multi-Vector EDR

## MITRE ATT&CK® Mapping

For security organizations who have adopted the [MITRE ATT&CK]()® framework, Qualys Multi-Vector EDR maps directly to its knowledge base of adversary tactics and techniques based on real-world observations. The MITRE ATT&CK [knowledge base]() is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and Cybersecurity vendor community.

Here is a list of MITRE ATT&CK TTPS that an unmodified version of AsyncRAT implements:

* [Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 – Enterprise | MITRE ATT&CK®]()
* [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 – Enterprise | MITRE ATT&CK]()
* [Virtualization/Sandbox Evasion, Technique T1497 – Enterprise | MITRE ATT&CK®]()**__**
* [Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK®]()**__**
* [Exfiltration Over C2 Channel, Technique T1041 – Enterprise | MITRE ATT&CK®]()**__**
* [Acquire Infrastructure: Web Services, Sub-technique T1583.006 – Enterprise | MITRE ATT&CK®]()**__**
* [Persistence, Tactic TA0003 – Enterprise | MITRE ATT&CK®]()**__**
* [Input Capture: Keylogging, Sub-technique T1056.001 – Enterprise | MITRE ATT&CK®]()**__**
* [Native API, Technique T1106 – Enterprise | MITRE ATT&CK®]()**__**
* [Remote Services: Remote Desktop Protocol, Sub-technique T1021.001 – Enterprise | MITRE ATT&CK®]()****
* [Video Capture, Technique T1125 – Enterprise | MITRE ATT&CK®]()**__**Read More

Exit mobile version