Threat Research

Catching a RAT: How Darktrace neutralized AsyncRAT

DarkTrace
Catching a RAT: How Darktrace neutralized AsyncRAT

AsyncRAT, a Remote Access Trojan originally released as open-source software in 2019, has become a widely exploited tool used by various threat actors to remotely control compromised devices and exfiltrate sensitive data. Darktrace detected multiple AsyncRAT command-and-control activities in late 2024, successfully blocking them through autonomous response measures to protect customer environments. #AsyncRAT #Darktrace

Keypoints

  • AsyncRAT enables attackers to remotely control infected machines with features like keylogging, file searching, audio/video capture, and payload staging.
  • The malware establishes persistence using scheduled tasks and registry modifications while leveraging SeDebugPrivilege to escalate privileges.
  • It employs virtualization and sandbox evasion by detecting VM environments such as VMware and VirtualBox through WMI queries.
  • Darktrace identified AsyncRAT-related suspicious connections to multiple rare external IP addresses (e.g., 185.49.126[.]50, 195.26.255[.]81) using default AsyncRAT ports like 6606, 7707, and 8808.
  • Associated SSL certificates labeled as “CN=AsyncRAT Server” confirmed the C2 infrastructure, which Darktrace’s Autonomous Response actively blocked to contain the threat.
  • Further connections to suspicious endpoints including the domain “kashuub[.]com” and IP 191.96.207[.]246 were detected and blocked, potentially linked to ScreenConnect used alongside AsyncRAT.
  • Darktrace’s AI-powered detection and response capabilities were crucial in identifying and mitigating the ongoing AsyncRAT campaign before significant data loss occurred.

MITRE Techniques

  • [T1053] Scheduled Task/Job – AsyncRAT establishes persistence by creating scheduled tasks. (“once installed, it establishes persistence via techniques such as creating scheduled tasks or registry keys”)
  • [T1497] Virtualization/Sandbox Evasion – It detects virtual machine environments by querying system manufacturer strings for “VMware” and “VirtualBox”. (“this RAT checks for the manufacturer via the WMI query ‘Select * from Win32_ComputerSystem’ and looks for strings containing ‘VMware’ and ‘VirtualBox’”)
  • [T1057] Process Discovery – AsyncRAT performs discovery of processes to gather system information.
  • [T1082] System Information Discovery – Used to collect details about the compromised system environment.
  • [T1021.001] Remote Services: Remote Desktop Protocol – Enables lateral movement via remote desktop capabilities.
  • [T1056] Input Capture: Keylogging – Captures user input through keylogging functionality.
  • [T1125] Video Capture – Allows the attacker to capture video or images from the compromised device’s camera.
  • [T1105] Ingress Tool Transfer – Used to deliver additional payloads to the infected system.
  • [T1219] Remote Access Software – AsyncRAT acts as a remote access tool for attackers.
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data through command-and-control channels.

Indicators of Compromise

  • [IP Address] AsyncRAT Command-and-Control servers – 185.49.126[.]50, 195.26.255[.]81, 191.96.207[.]246
  • [SSL Certificate] C2 Infrastructure – CN=AsyncRAT Server (Used to encrypt communications with AsyncRAT servers)
  • [Domain] C2 Endpoint – kashuub[.]com (Associated with AsyncRAT and ScreenConnect activity)

Read more: https://darktrace.com/blog/catching-a-rat-how-darktrace-neutralized-asyncrat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint