Threat Research

Reborn in Rust: AsyncRAT

GDataSecurity
Reborn in Rust: AsyncRAT

AsyncRat, a remote access trojan known since 2019, has recently been observed in new variants written in Rust, offering enhanced obfuscation and cross-platform capabilities. These Rust variants maintain similar functionalities to the original C# versions but are still under active development, with fewer supported commands and stealthy plugin management. #AsyncRat #RustMalware #RemoteAccessTrojan

Keypoints

  • AsyncRat is a remote access trojan tracked since 2019, providing attackers remote control over compromised systems.
  • New samples of AsyncRat have been observed rewritten in Rust, a language that complicates reverse engineering.
  • The Rust variant retains similar functionality to the original C# version, including plugin installation and persistence mechanisms.
  • Plugins are stored in the Windows registry and loaded dynamically rather than being saved as binaries on disk.
  • Command and control (CnC) communication occurs over TLS with hardcoded server addresses and ports.
  • The Rust variant supports a limited set of commands compared to the C# version, indicating it is still in development.
  • Indicators of compromise include specific file hashes and three hardcoded CnC server domains.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The malware executes commands and plugins dynamically as indicated by ‘plugin – execute a plugin identified by the hash’.
  • [T1071] Application Layer Protocol – CnC communication occurs over TLS with hardcoded server addresses (‘Communication between the client and the server happens over TLS’).
  • [T1543] Create or Modify System Process – Persistence is achieved by installing scheduled tasks or launching via batch files depending on privilege level (‘…either installs a scheduled task or copies itself to the temporary directory and starts itself via a batch file’).
  • [T1112] Modify Registry – Plugins are stored in the registry under HKCUSoftwareC2CPlugins for dynamic loading (‘Plugins are installed not as binaries on disk but are stored in the registry… and are loaded and run dynamically’).

Indicators of Compromise

  • [File Hash] AsyncRat Rust variant sample – eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459
  • [Domain] Hardcoded CnC servers – mohsar.ddns.net, magic-telecom.ddns.net, backup-tlscom.sytes.net

Read more: https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint