AsyncRAT, an open-source remote access trojan, has evolved through numerous forks, significantly impacting malware landscapes with variants like DcRat and VenomRAT. These forks extend functionality with unique plugins and advanced evasion techniques, highlighting the growing sophistication of open-source malware threats. #AsyncRAT #DcRat #VenomRAT #NonEuclidRAT #JasonRAT
Keypoints
- AsyncRAT was released as an open-source RAT in 2019 and has given rise to many variants and forks, expanding its reach and capabilities.
- DcRat and VenomRAT are among the most widely deployed AsyncRAT forks, incorporating features such as MessagePack data serialization and AMSI/ETW bypass.
- NonEuclid RAT is a lesser-known variant that introduces unique plugins like WormUsb.dll for malware spreading and cliper.dll for clipboard hijacking.
- JasonRAT features obfuscation via modified Morse code and country targeting, showing continued development in AsyncRAT derivatives.
- Identification of AsyncRAT forks is often possible through encrypted configuration fields like the âVersionâ and custom cryptographic salts.
- Lesser-known variants include specialized plugins for audio playback, geolocation, brute forcing, clipboard monitoring, and ransomware capabilities.
- The proliferation of these forks demonstrates the risks associated with open-source malware frameworks, enabling rapid adaptation and misuse by threat actors.
MITRE Techniques
- [T1562.001] Impair Defenses: Disable or Modify Tools â DcRat terminates security tools such as Taskmgr.exe and MsMpEng.exe to evade detection (âDcRat terminates security tools such as Taskmgr.exe and MsMpEng.exeâ).
- [T1562.004] Impair Defenses: Disable or Modify System Firewall â DcRat leverages AMSI and ETW bypass techniques to prevent script scanning and event tracing (âDcRat leverages AMSI and ETW bypass techniques to evade detectionâ).
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File â JasonRAT uses modified Morse code and obscure variable names to hinder malware analysis (âJasonRAT employs modified Morse code and obscure variable names to hinder analysisâ).
- [T1539] Steal Web Session Cookie â DcRat includes a plugin to steal Discord tokens from infected devices (âDcRat leverages a plugin to steal Discord tokens from compromised machinesâ).
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers â XieBroRAT uses BrowserGhost.dll to harvest browser credentials (âXieBroRAT uses a plugin to collect browser credentialsâ).
- [T1110.003] Brute Force: Password Spraying â NonEuclid RAT employs a plugin to brute force SSH and FTP credentials (âNonEuclid uses a plugin to brute force SSH and FTP credentialsâ).
- [T1614.001] System Location Discovery: System Language Discovery â NonEuclid RAT collects geolocation data from victims (âNonEuclid uses a plugin that collects geolocation data from compromised systemsâ).
- [T1123] Audio Capture â DcRatâs microphone plugin enables recording audio from infected systems (âDcRat has a microphone plugin that enables audio capture from the victimâs deviceâ).
- [T1125] Video Capture â DcRat supports webcam access through its plugins (âDcRat includes a webcam plugin that allows remote access to the victimâs cameraâ).
- [T1115] Clipboard Data â NonEuclid RAT monitors and replaces clipboard cryptocurrency addresses (âNonEuclid uses a plugin that monitors the clipboard to intercept and replace cryptocurrency wallet addressesâ).
- [T1486] Data Encrypted for Impact â DcRatâs ransomware plugin uses AES-256 to encrypt victim files (âDcRat features a ransomware plugin capable of encrypting files on the victimâs systemâ).
Indicators of Compromise
- [File Hashes] Samples of NonEuclid RAT plugins â F8E31B338123E38757F8B7099797119A038A3538 (Screamer.dll), 2FA98D088486BAC57FF60E072E28FEE5830E7B28 (WormUsb.dll), and others.
- [File Hashes] DcRat and VenomRAT clients â B8AB93E958E0DE4BE2766B2537832EDB37030429 (DcRat Client.exe), 68B58483D0E4E7CC2478D6B4FC00064ADE3D7DB3 (VenomRAT Microsoft_Edge_Driver.exe).
- [File Hashes] JasonRAT client â FF4592A8BCB58F5CF6BD70B882E886EC6906EECD (Servant.exe).
- [File Hashes] Other AsyncRAT forks â 4F69E0CE283D273B724CE107DF89F11C556A7A4E (BoratRAT Client.exe), 3124F58428184FDF75E21B1E5A58CADF9DD2BA03 (PhoenixRAT Stub.exe), and more.
Read more: https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/