Analyzing AsyncRAT distributed in Colombia by Blind Eagle | Welcome to Jstnk webpage

Summary​

During 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by this same group and other cybercriminal groups such as RemcosRAT, AsyncRAT, Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many of these families that have caught my attention and I wanted to analyze them to see what is new.

Therefore, during this entry we will go through the analysis of a sample of AsyncRAT distributed in Colombia during the last month.

The objective of the analysis is to provide information on the execution of the binary, genealogy and other stuff, not to go into the details of the static part.

Analysis​

Static​

The basic static information of the sample to be analyzed is shown in the table below.

Field Value
File name Stub.exe
Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
MD5 c0b9838ff7d2ddecbfe296eae947e5d6
SHA1 76af794b85e4a4ba75c5703df1207b7a6798bf2e
SHA256 79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3
File size 45.00 KB (46080 bytes)

static01

After verifying that the binary was C#, I decided to perform a small analysis of the code to check some of the actions that the malware should do once executed, before executing it on my systems.

basiccode

If we go to the Main function, which is the one defined in the entry point, we see that it contains the structure shown in the following image.

basiccode

The binary will check a series of conditions to verify if it is being executed among other things in a virtual environment or not, and depending on the results, it will continue its normal flow or kill the process.

The first check is to verify if a series of settings established in the code, among which are the key, pastebin URL, version, etc.

basiccode

Secondly, it tries to create a mutex and stop similar processes of the same sample that may be running.

mutexcheck

It then performs several checks to identify the context where it is running (mainly to see if it is a virtual machine or a sandbox). Different anti-analysis techniques are put in place.

The first of all is related to the DetectManufacturer method which aims to see if the system is related to Vmware, VirtualBox, or virtualized in general.

antianalysis

The next thing is to check if a debugger exists in the context of AsyncRAT. To do this, it makes use of the isDebuggerPresent API.

debugg

Next, the check is focused on seeing if the system where it was executed is the known sandboxie, to check it, tries to identify if the DLL SbieDll.dll is running.

sandbxie

The next check it performs is on the system disk capacity. In this case, it checks if the disk is less than 61000000000L (56.8 GB). If it is, it returns false.

disk

The last thing it performs in this set of checks is to identify if the operating system is Windows XP with a simple method.

xp

It also aims to generate persistence in the system. To do this, it checks if the context of the process was launched with privileges, if so, it will make use of schtasks.exe to create a task. Otherwise, if the context is not found with administrator permissions, it will try to modify the registry key SoftwareMicrosoftWindowsCurrentVersionRun to execute a copy of itself create in the %appdata path.

schedule

After this, the sample copies itself into the %appdata% directory and will create a .bat file to first launch a timeout, run the sample from %appdata% and delete the .bat file.

batcreation

The last interesting activity is to establish communications with the C2 through the ClientSocket.Reconnect(); and ClientSocket.InitializeClient(); methods.

c2

The sample can perform many other actions once it is deployed in the environment. For example, the Client.Helper.IdSender class has a method called sendInfo which is responsible for sending information from the operating system to the C2.

sendinfo

Going into detail of each class could take a long time, and in this case, the goal is to analyze the behavior once executed, so I leave a small image of a part of the classes and methods that incorporates the sample and we will perform an analysis of the behavior.

classesandmethods

Dynamic​

high level processes events​

highlevelprocesses

Now it is time to detonate the malware in a controlled environment to verify the behavior of the malware. In this case, I did different executions with and without administrator permissions to see how the sample behaved. I did this because in the static part we have seen that the behavior could vary depending on whether it was executed in the administrator context.

privileged execution – Genealogy​

admingenealogy

non-privileged execution – Genealogy​

admingenealogy

As can be seen, there are some differences when the sample was executed with privileges and when not. For example, in the first image, which corresponds to the execution with privileges, there are 3 additional processes which are the following.

|_ cmd.exe (7380)
|_ Conhost.exe (8972)
|_ schtasks.exe (4152)

This is because the execution of the process 7380 cmd.exe, is the behavior related to setting the scheduled task. However, if the sample is run without administrator permissions, the scheduled task cannot be generated.

We are going to go into detail about the processes to see the main actions they performed and that could be of interest in order to generate some kind of detection or identification of patterns. To do this, we will focus on the execution with administrator permissions and in case there is something different in the other execution, it will be named.

Stub.exe – 2740​

C:UserslabDesktopStub.exe

This is the AsyncRAT sample. The execution was performed with administrator privileges.

This process, as we saw before, would be in charge of creating certain files in the system. First of all, what it does is to create in the %appdata% directory a copy of itself.

writeruntim

Then, it creates the batch file also in %appdata%, which will be executed later to perform different actions in the operating system.

writefilesbat

As for registry keys, there is no significant activity.

Different behavior in the sample run without privileges.

However, in the case of unprivileged execution, there would be a modification in the registry keys for persistence, using the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunRuntime Broker.

registrykey

cmd.exe – 7380​

"C:WindowsSystem32cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:UserslabAppDataRoamingRuntime Broker.exe"' & exit

This process is basically in charge of launching the schtasks.exe binary. It is important to mention, as we are seeing and will see throughout the analysis, that since this is a 32bit sample, the executions will be related to the C:WindowsSysWOW64 directory.

registrykey

This process will not exist when running AsyncRAT without administrator permissions.

schtasks.exe – 4152​

schtasks  /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:UserslabAppDataRoamingRuntime Broker.exe"' 

The task is generated in the system to be executed at each login of any user with administrator permissions.

/f -> A value that forcefully creates the task and suppresses warnings if the specified task already exists.
/sc onlogon -> In each login
/rl highest -> Max privileges
/tn "Runtime Broker" -> Task name
/tr "C:UserslabAppDataRoamingRuntime Broker.exe" -> Task run to execute

task

cmd.exe – 8840​

C:Windowssystem32cmd.exe /c ""C:UserslabAppDataLocalTemptmp3959.tmp.bat""

This process is in charge of executing the bat file that was created during the execution of the Stub.exe binary. It is important to mention that the name of the batch file varies according to the execution, however, the pattern is always the same. The following RegEx would work to detect this.

.*tmp[a-zA-Z1-9]{4}.tmp.bat

task

timeout.exe – 6272​

timeout  3 

The malware uses a timeout of 3 seconds before it starts performing the rest of the actions.

Runtime Broker.exe – 4080​

"C:UserslabAppDataRoamingRuntime Broker.exe" 

As can be seen from the name of the process, the malware tries to impersonate the legitimate Microsoft Windows binary runtimebroker.exe. However, it can be noticed in this case that there is a space between the two words.

Here the communication with the C2 server is established. The ports used in this case are 8808, 7707 and 6606. The destination IP address is 217.195.197[.]70.

connections

On the other hand, another indicator that could help us to identify the sample and the family during the analysis is the Mutex used, which in this case is AsyncMutex_6SI8OkPnk.

mutex

During the execution of Runtime Broker.exe, I proceeded to extract the .NET assembly from memory to verify if it was the same Stub.exe binary analyzed later or if it presented some difference when is launched. During this extraction, the following assemblies were obtained from memory.

File name SHA1 Comments
aB.exe 76AF794B85E4A4BA75C5703DF1207B7A6798BF2E Same sample as Stub.exe
MessagePackLib.dll 16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E At the time of analysis, 41/68 engines in VT detect it as malicious. Different family names.
Recovery.dll 93E9469789A4ECD28E30006D1CE10DBFFBD36D7C At the time of analysis, 44/68 engines in VT detect it as malicious. Code protected by Reactor.
System.Data.SQLite.dll B9D5AF76D8DF1C4EE4CCBA33B2AFA8300952D923 Mixed-mode assembly for System.Data.SQLite. More information here.
Newtonsoft.Json.dll E68B369BC131A32D5233EE395F47B337C2469042 Json.NET is a popular high-performance JSON framework for .NET

aB.exe​

The assembly aB.exe is the same Stub.exe file, which in turn is also Runtime Broker.exe.

MessagePackLib.dll​

This DLL does not contain any packers or code protectors. 41 out of 68 VT engines detect this DLL as malicious.

nopacker

Taking a look at the assembly, you can see that the class structure does not seem to be very complex, and with a little patience you could identify its functionality (if you are interested in the sample, ask me privately).

assemblymessage

Recovery.dll​

In this case, it has been possible to verify the existence of Reactor, called by itself as a .NET code protection as can be seen on its website.

recoverypacker

As for the assembly, it can be verified that there is a protection of the code, since many strings and classes are randomized at the moment of observing their possible logic.

recoverypacker

In a process of trying to remove the code protection, it is possible to see in a more readable way part of the code, identifying messages of actions that the assembly could try, in this case as seen in the image, related to the obtaining of Firefox cookies.

unprotectedcode

High level graph​

In order to have a graphical view of the most important events that take place during the execution of AsyncRAT, a behavior graph has been elaborated where the events generated in the system during its execution can be seen.

graph

Diamond model​

graph

Technique Kill chain phase Diamond vertex Comments
T1566.001 – Phishing: Spearphishing Attachment Delivery Capability Email with ZIP file attached
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Installation Capability Set registry key if non-privileged user executes the payload
T1053.005 – Scheduled Task/Job: Scheduled Task Installation Capability Creates new scheduled task if privileged user executes the payload
T1036.005 – Masquerading: Match Legitimate Name or Location Execution Capability Writes itself as a file named Runtime Broker.exe saved in %APPDATA%
T1571 – Non-Standard Port C2 Infrastructure Use the ports 8808, 7707 and 6606 for communication
T1059.003 – Command and Scripting Interpreter: Windows Command Shell Execution Capability Executes batch file created previously
T1027 – Obfuscated Files or Information Exploitation Capability .NET Reactor is used for code protection
T1095 – Non-Application Layer Protocol C2 Infrastructure TCP is used for C2 communications
  • 217.195.197[.]70 through 6606, 7707, 8808 ports
  • 76AF794B85E4A4BA75C5703DF1207B7A6798BF2E
  • 16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E
  • 93E9469789A4ECD28E30006D1CE10DBFFBD36D7C
  • Mutex AsyncMutex_6SI8OkPnk

Sigma rules​

The sigma rules created are specifics for this payload. There will be different payloads used by AsyncRAT with the same name or different. Is important to mention that the original filename embbeded in this case is Stub.exe. This is interesting because if the adversaries create new payloads, maybe the original filename will still being the same.

title: Detect AsyncRAT persistence with schtasks based on specific payload
id: 4410f0ad-3a1c-4e21-9e3a-fa55336aa123
description: Detect the execution of the AsyncRAT payload to launch schtask for persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
references:
- https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis
- https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: 'Stub.exe'
selection1:
Image|endswith: 'cmd.exe'
CommandLine|contains|all:
- 'schtasks '
- 'AppDataRoaming'
- '.exe'
condition: parent_selection and selection1
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
- attack.T1053.005

title: Detect AsyncRAT execution based on specific payload
id: ac891380-958b-4c08-a77d-8e149d63d741
description: Detect the execution of the AsyncRAT payload to establish registry key for persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
references:
- https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis
- https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
Image|endswith: 'Stub.exe'
TargetObject|endswith: 'SoftwareMicrosoftWindowsCurrentVersionRun'
Details|contains: '.exe'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
- attack.t1547.001

In the original Sigma repository, there are a large number of generic rules that can help in the detection of this malware.

Contact

Twitter: https://twitter.com/Joseliyo_Jstnk

LinkedIn: https://www.linkedin.com/in/joseluissm/

Source: https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/#summary