Keypoints
- AsyncRAT is delivered via open directories using disguised files (e.g., JPGs that are actually archives) and obfuscated scripts.
- Two separate infection techniques were observed: a multi-stage chain (VBS → XML/PowerShell → VBS → BAT → PS1 → scheduled task → loader) and a shorter two-stage chain (VBS → PowerShell → files + scheduled task).
- Attackers hide payloads and behavior through variable/name obfuscation, hex-encoded strings, and by embedding EXE/DLL data to execute directly in memory.
- PowerShell scripts create scheduled tasks (every 2 minutes) to achieve persistence and silent re-execution of AsyncRAT components.
- Deobfuscation steps (replacing variables, collapsing redundant logic, using vertical reading for BAT files) make the scripts readable and reveal the payload flow.
- Sandbox execution (ANY.RUN) confirms C2 infrastructure, ports, certificates, mutexes, and other runtime artifacts for the AsyncRAT samples.
MITRE Techniques
- [T1071] Command and Control – Use of external domains and IPs for C2 communication; quote: (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1059] Command and Scripting Interpreter – Execution of scripts using PowerShell and VBS to download, extract and run payload stages; quote: (‘Uses PowerShell and VBS scripts to execute malicious payloads.’)
- [T1053] Scheduled Task/Job – Creation of scheduled tasks (e.g., tMicNet Work40, thepiratMicrosoftEdgeUpdateTask) to run persistence scripts every two minutes; quote: (‘Creates scheduled tasks to ensure the malware runs at regular intervals.’)
- [T1027] Obfuscated Files or Information – Heavy obfuscation (randomized variable names, hex encoding, split strings) to hide intent and evade analysis; quote: (‘Employs obfuscation techniques to conceal the true nature of scripts and files.’)
Indicators of Compromise
- [IP Address] Open directory hosts – 23.26.108.141, 45.126.208.245 (servers hosting malicious open directories)
- [Domain] Command-and-control domains – storeroot[.]duckdns[.]org, anothonesevenfivesecsned[.]ddns[.]net (observed C2 infrastructure)
- [File name] Dropper and stage filenames – AsyncRAT.exe, AsyncRAT.dll, fsp.txt, zohre.jpg (disguised archive), and other staged scripts like KiLOvBeRNdautESaatnENn.ps1
- [File hash] Sample hashes for detection/context – 70733e5f26a5b4d8c3d2bcc9a21cd015cee63dc0f93c819e7c401237f69967fe (AsyncRAT.exe), 2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8 (AsyncRAT.dll), and other hashes listed in the report
The original analysis traces two practical deployment patterns for AsyncRAT discovered in public open directories. The first pattern is a long, multi-stage chain: an obfuscated TXT/VBS holds code to download a disguised JPG (actually a ZIP), which extracts files and launches a cascade of VBS, BAT and PowerShell scripts. Those scripts deobfuscate and reconstruct payloads (DLL and EXE) in memory and install scheduled tasks to run the final loader every two minutes for persistence.
The second pattern uses a shorter flow where a commented VBS downloads a disguised PowerShell payload that directly writes three helper files: one that decodes and loads EXE/DLL content into memory, one that triggers the loader, and a third that hides the execution (roox.bat/roox.vbs). That PowerShell also sets a scheduled task (thepiratMicrosoftEdgeUpdateTask) to guarantee repeated execution and stealthy persistence.
Throughout the report the author demonstrates clear deobfuscation techniques—replacing random variables with readable names, collapsing redundant logic, vertical reading of BAT variables, and hex-decoding—then verifies runtime behavior using the ANY.RUN sandbox to extract C2 addresses, ports, certificates and mutexes. These steps produce actionable IOCs (IPs, domains, filenames and hashes) that defenders can use to detect and block these AsyncRAT campaigns.
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/asyncrat-open-directories-infection-analysis/