This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FirstWatch Threat Spotlight: Truly Asynchronous AsyncRAT

RajasSave
Respected Contributor Respected Contributor
Respected Contributor
‎2023-03-24 04:48 AM

Author: Rajas Save

 

 

Introduction

 

The AsyncRAT malware family seems to have been re-emerged in February 2023 delivering Windows-based info-stealing malware payloads. The AsyncRAT malware was first active in 2016 and is known to be a remote access trojan (RAT) that allows an attacker to remotely control an infected system.


The AsyncRat malware family is a highly sophisticated piece of malicious software, believed to have been developed by state-sponsored hackers for the purpose of cyber espionage and data theft. AsyncRat is notable for its use of asynchronous command and control (C2) communication, which allows it to evade detection by security software. The malware is also highly customizable, with the ability to add new functions and capabilities as needed. This makes it a popular choice among cyber criminals looking to conduct targeted attacks.
In 2017, AsyncRat was observed being used in several high-profile attacks, including a series of attacks against organizations in the financial and healthcare industries. The malware was also observed being used in attacks against government organizations, suggesting that it was being used by state-sponsored actors.


Delivered payload in this case was surfaced in mid January 2023. It infects systems through a multi-stage infection process that typically involves exploiting vulnerabilities in targeted systems, tricking users into downloading and installing malicious software, or using social engineering tactics to gain access to sensitive information.

 

 

Technical Analysis

 

The initial spread of AsyncRat was through phishing emails and malicious attachments, but it has since been observed being delivered through other methods such as drive-by downloads and malicious ads. This particular binary was delivered using a compromised website - hxxps[:]//tarjapreta[.]news/docs/ws[.]exe which has now been taken offline. The same binary was seen with different names such as mini-calculator.exe, WindowsDataC.exe etc.

 

VXIntel_v1.PNG

poly_primary_detections.PNG

poly_primary_peInfo.PNG

 

 

Upon download, (3b479f15645c31c7067c31aede6e1802093ac78b[.]exe) executes from \AppData\Local\Temp\ directory with elevated privileges.

ProcessFromAppData_1.png


Subsequently three child processes are spawned which will then be used to gather more information and maintain persistence.

1. “wwst.exe”
2. “windowsdatac.exe”
3. “runit.exe”

 

execute3DroppedEXE.png

 

 

Endpoint Analysis

 

The “windowsdatac.exe” binary is then added as an AutoStart entry to ensure persistence on the system by launching the process at every system startup.

 

Set value (str) 
\REGISTRY\USER\S-1-5-21-4112222891-4035456648-2770682853-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataC.exe = "C:\\ProgramData\\WindowsDataC.exe”


wwst.exe” spawns two different instances of “cmd.exe" along with the Remote Procedure Call (RPC) process "svchost.exe" with elevated privileges.

 

The first instance of “cmd.exe” executes a command that changes the code page to 65001 and displays all Wi-Fi network profiles using the "netsh wlan show profile" command.
Three child processes are spawned to perform specific tasks within the command:

  1. "chcp.com" - "chcp 65001" - This command sets the active code page to Unicode UTF-8 (code page 65001) to ensure that special characters in the output are displayed correctly.
  2. "netsh.exe" - "netsh wlan show profile" - This command is used to retrieve a list of wireless network profiles that are saved on the computer.
  3. "findstr.exe" – “findstr All" - This command filters the output of the previous command and shows only the lines that contain the string "All"

1stCMD_process.png

 

 

The second instance of “cmd.exe” executes a command that changes the code page to 65001 and displays all Wi-Fi networks using the "netsh wlan show networks mode=bssid" command.
Two child processes are spawned to perform specific tasks within the command:

  1. "chcp.com" - "chcp 65001" - This command sets the active code page to Unicode UTF-8 (code page 65001) to ensure that special characters in the output are displayed correctly.
  2. "netsh.exe” - "netsh wlan show networks mode=bssid" - This command is used to retrieve a list of wireless networks in the BSSID mode, which displays the MAC addresses of the access points for each network.

2ndCMD_process.png

 

 

The command "C:\Windows\system32\svchost.exe -k netsvcs" is used to start the Windows Service Host Process, which is a generic host process for services that are run from DLLs.

  • The "-k" flag in the command specifies the service group that the process should run under, in this case "netsvcs" which stands for Network Service. This means that the service host process is running with the Network Service account privileges, which is a predefined local account with limited permissions.

 

The "/C" switch is used to specify that the subsequent command should be executed and then the command prompt should exit. It also creates AutoStart entries to ensure that it can continue running on the system even after a system reboot.

 

 

RunIt.exe” helps gather and exfiltrate information about the victim. It’s a .NET framework based a Windows executable. This executable along with the other two use various methods such as use of Pastebin, and telegram to communicate with C2 server and exfiltrate system, location, and network information about the host.


Run key is added to maintain persistence on the infected system –

SET VALUE (STR) -
\REGISTRY\USER\S-1-5-21-4112222891-4035456648-2770682853-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\RNTS.EXE = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\RNTS.EXE"

VXIntel_v2.PNG

poly_secondary_sandbox1.PNG

poly_secondary_detections.PNG

poly_secondary_peinfo.PNG

 

Network Analysis

 

The device initiates a DNS request to resolve the domain name "icanhazip[.]com" to its IP address. This is likely used to determine the external IP address of the victim host making the request.

 

1stDNS_marked.png

 


The device sends a GET request to the server at "http[:]//icanhazip[.]com" to retrieve its external IP address. The server responds with the external IP address of the device making the request.

 

1stDNS-fullNW_marked.png

 


GET request is sent to "https[:]//api[.]mylnikov[.]org/geolocation/wifi?v=1.1&bssid=92:29:c7:e0:ff:6d" which is a website that provides geolocation services This is a request to the server at the IP address obtained in the previous DNS request. The request includes a query parameter "bssid" which likely refers to the BSSID (MAC address) of the device's Wi-Fi access point. The server responds with geolocation information for the access point.

 

2nd-GeoLocation_marked.png

2nd-GETGeoLocation_marked.png


The device initiates a final DNS request to resolve the domain name "api.telegram.org" to its IP address, which is the website of the popular messaging app.

 

3rd-TelegramAll-analysisKeys_marked.png

 


Using this resolved IP, a GET request is sent using the Telegram API and contains a bot token as well as the chat ID of the recipient.

 

3rd-Telegram-LongRequest-Hatch_marked.png


The text of the message contains information about the infected system, including the date, system details, hardware information, network information, and software details.


The message also includes the number of bookmarks, database files, and other logs present on the system. The message is sent in markdown format, with emojis used to denote different categories of information.

Decoding information in this text step by step:

  • Split the encoded text into individual segments separated by "%".
  • Convert each hexadecimal value into its corresponding ASCII character.
  • Replace the "%20" sequences with spaces.
  • Replace the +" sequences with newlines.

CodeChef_marked.png


After some clean up information in the 'text' of Telegram message:

 

🌪️WorldWind Pro - Results: 
Date: 2023-03-01 8:33:31 PM
System: Windows 10 Pro (64 Bit)
Username: Admin
CompName: QOFGUEXK
Language: 🇺🇸 en-US
Antivirus: Not installed

💻 Hardware:
CPU: 12th Gen Intel(R) Core (TM) i5-12400
GPU: Microsoft Basic Display Adapter
RAM: 16154MB
HWID: 078BFBFF000306D2
Power: NoSystemBattery (1%)
Screen: 1280x720

📡 Network:
Gateway IP: 10.127.0.1
Internal IP: 10.127.0.26
External IP: 154.61.71.50
BSSID: 92:29:c7:e0:ff:6d

💸 Domain’s info:
∟ 🏦 *Bank Logs* (No data)
∟ 💰 *Crypto Logs* (No data)
∟ 🍓 *Freaky Logs* (No data)

🌐 Logs:
∟ 🔖 Bookmarks: 5

🎃Software:

🧭 Device:
∟ 🗝️ Windows product key
∟ 🌃 Desktop screenshot

📄 File Grabber:
∟ 📂 Database files: 6

Telegram Channel: @X_Splinter

 

 

The second request using Telegram API is a download request for a file named "wwst.exe" from a remote server with the IP address 149.154.167.220 over port 443. The file appears to be a binary executable file that is being downloaded by the malware. The purpose of this file is unknown, but it is likely to be another component of the malware that is being downloaded and executed on the infected system.

 

 

Subsequent request is a response from the remote server to the malware and contains a list of C2 server addresses. The addresses are presented in a JSON format and are likely to be used by the malware to establish communication with the C2 servers. The purpose of this communication is to allow the attacker to remotely control the infected system and execute commands on it.

 

3rd-Telegram-chatId2nd-hatch_marked.png



Once the IP address is obtained, the device sends a POST request to the server at "https://api.telegram.org/bot..." to send a message to a specific chat ID on the Telegram messaging service. The query parameters in the request include the text message to be sent. The server responds with a success or failure message indicating whether the message was sent.

 

3rd-Telegram-chatId3rd-hatch_marked.png

 

 

The next request is a GET request to "pastebin[.]com", which is a website for storing and sharing text. The subsequent POST request includes a document to be sent via Telegram.


4th-pastebin-all_marked.png

4th-pastebin-get-hatch_marked.png

 

 

Overall, this sequence of requests suggests that the AsyncRAT is attempting to gather information about the host machine, including its location and network information, and then send this information to a remote server via the messaging app Telegram. The use of several different websites and services suggests that the malware is attempting to avoid detection and make it more difficult to trace its actions. This suggest that the malware is a sophisticated piece of binary that can communicate with a remote server and execute commands on the infected system and exfiltrate data with asynchronous communication C2 servers.

 

 

MITRE Information

 

  1. Execution TA0002
    1. Windows Management Instrumentation - T1047
      1. wwst.exe executes WMI query: Select ProcessorId from Win32_processor.
  2. Persistence TA0003
    1. Registry Run Keys / Startup Folder T1547.001
      1. Creates an AutoStart registry key.
  3. Privilege Escalation TA0004
    1. Registry Run Keys / Startup Folder T1547.001
      1. Creates multiple AutoStart registry keys.
  4. Defense Evasion TA0005
    1. Masquerading T1036
      1. wwst.exe changes the appearance of folder.
    2. Modify Registry T1112
      1. runit.exe adds "C:\Users\RDHJ0C~1\AppData\Local\Temp\Rnts.exe" to Windows startup via registry.
    3. Obfuscated Files or Information T1027
      1. .NET source code contains long base64-encoded strings.
    4. Masquerading T1036
      1. Creates files inside the user directory.
    5. Obfuscated Files or Information T1027
      1. Encode data using Base64.
      2. Encrypt data using AES via .NET.
  5. Credential Access TA0006
    1. Input Capture T1056
      1. wwst.exe potentially exfiltrates data.
      2. Creates a DirectInput object.
  6. Discovery TA0007
    1. Query Registry T1012
      1. wwst.exe reads Windows license key from registry.
    2. System Network Configuration Discovery T1016
      1. Checks the online IP address of the machine.
      2. Sample enumerates processes, queries network configuration, collects hardware information and collects operating system information which indicates system fingerprinting.
    3. Process Discovery T1057
      1. wwst.exe enumerates running processes.
    4. System Information Discovery T1082
      1. Queries the cryptographic machine GUID.
      2. Reads software policies.
      3. Queries process information (via WMI, Win32_Process)
      4. Checks the free space of hard drives.
      5. Queries the volume information (name, serial number etc) of a device.
    5. File and Directory Discovery T1083
      1. Writes ‘.ini’ files.
      2. Reads ‘.ini’ files.
  7. Collection TA0009
    1. Input Capture T1056
      1. Contains functionality to log keystrokes (.Net Source)
    2. Data from Local System T1005
      1. Found many strings related to Crypto-Wallets (likely being stolen)
  8. Command and Control TA0011
    1. Application Layer Protocol T1071
      1. Performs DNS lookups.
    2. Web Service T1102
      1. Connects to a Pastebin service (like for C&C)

 

 

Conclusion

 

The re-emergence of the AsyncRAT malware family is a reminder of the ongoing threat posed by RATs and the importance of implementing robust security measures to protect against these types of attacks.


Since its discovery, AsyncRat has continued to evolve and become more sophisticated. Security researchers have identified several variants of the malware, each with slightly different capabilities and techniques for evading detection. Despite this, the malware remains a persistent threat and continues to be used in attacks against organizations of all sizes.

 

Thank you @Will_G and @ArthurFontaine for valuable feedback and direction.

 

 

References 

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.