ASyncRAT delivered through malspam via OneNote attachment (Stage 2)

Leave a Comment / Malware Analysis / By

Continuing our previous AsyncRAT discussion, this is Part 2 of this blog post, where I will review stage 2, which will cover the analysis of the ASyncRAT payload (payload.exe) and we will dive into some of its functionalities.

Table Description automatically generated Figure 1: File property details of payload.exe shown in CFF Explorer.

Unpacking ASyncRAT

Since this is a .NET Assembly executable, I used DnSpy to start debugging it, to try and determine what are some of this file’s functionalities. After analyzing and decrypting the encoded (Base64 + AES Encryption (Key, IV)) 1st function (Fig. 2), this malware utilizes some of the following Anti-analysis Techniques:

Calls CheckRemoteDebuggerPresent which checks if a debugger (in a different process on the same machine) is attached to the current process.

Calls IsDebuggerPresent which checks whether the current process is being debugged by a user-mode debugger.

Calls AmsiScanBuffer to attempt to bypass AMSI (Antimalware Scan Interface).

A screenshot of a computer Description automatically generated with medium confidence Figure 2: The first function of payload.exe while loaded into DnSpy.

Graphical user interface, text, application, email Description automatically generated Figure 3: De-obfuscating the first function using CyberChef, reveals strings of Anti-analysis API calls.

Looking at all of the obfuscation within each of these functions, I came to the conclusion, that I was looking at a packed file.

My next step was to look for the file’s unpacking routine, which brought me to the object named memoryStream2 which is from the MemoryStream Class where it receives decompressed bytes from object GzipStream. These bytes were copied to _buffer. After my breakpoint is hit at “return memoryStream2.ToArray()”. I was able to dump the contents of _buffer, the dumped binary is an executable (File header: MZ). (Fig. 4 & 5)

Text Description automatically generated
Figure 4: Breakpoint set on “return memoryStream2.ToArray()”, contents of _buffer is a dumped executable (File header: 0x4D5A).

Figure 5: MemoryDump Window 2 shows contents of _buffer which is a dumped executable (File header: MZ).

A quick look at this file in CFF Explorer (Fig. 6). I can confirm after reviewing its strings, that the dumped binary is an unpacked version of ASyncRAT. I re-named this file unpacked_payload.exe (Original Filename: AsyncClientnownow.exe).

Table Description automatically generatedFigure 6: File property details of unpacked_payload.exe (AsyncClientnownow.exe) shown in CFF Explorer.

Analysis of unpacked ASyncRaT

Next, I load unpacked_payload.exe (AsyncClientnownow.exe) into DnSpy for analysis. The Main() function initializes settings and flow of code execution. The delay function defines the sleep duration (3 seconds) before execution.

Mutex

if (!MutexControl.CreateMutex())

Environment.Exit(0);

It checks to make sure that the current payload is not duplicated by checking if the Mutex value already exist (MTX = “AsyncMutex_6SI8OkPnk”). (Fig. 7).

InitializeSettings

if (!Settings.InitializeSettings())

Environment.Exit(0);

The InitializeSettings function enables all hardcoded configurations and settings (Figure 7). It also enables decryption of all configuration settings from the AES256 algorithm. (Fig. 8).

Text Description automatically generatedFigure 7: Main() function.



Text Description automatically generatedFigure 8: InitializeSettings function, where you can see the decryption of all configuration settings from the AES256 algorithm.


Configuration Settings


Below are the decrypted hardcoded configuration settings:


Key: JXkxqn0C8WXhwunn5UZ2PfINpI6joafo 


Ports: 6606, 7707, 8808 


Hosts: 154.12.234.207 


Version: 0.5.7B 


Install: False 


MTX (Mutex): AsyncMutex_6SI8OkPnk 


Pastebin: null 


Anti: False 


BDOS: False


Figure 9: Connection to C2 server (154.12.234.207) to check-in.


Anti Analysis


The Anti Analysis function includes multiple subfunctions to check for the following anti-analysis tools such as (Fig. 10):


    

  • Detect Manufacturer: enables anti-VM (virtual machine) techniques by using WMI to check for VM environments by querying for the following keywords: “Microsoft Corporation”, “VIRTUAL”, “VMware”, or “VirtualBox”.
    • 

  • Detect Sandbox: checks for the presence of “SbieDll.dll”, to detect if it is running in a sandbox (Sandboxie).
    • 

  • IsSmallDisk: checks for small disk less (than or equal to 61000000000L (56.8 GB)) that may be often used by virtual machines designed for malware analysis.
    • 

  • IsXP: checks whether the operating system is Windows XP.
    • 

  • Anti-Virus Check: checks for which antivirus product is installed in the system by using WMI query command: “\rootSecurityCenter2”. This pulls this information from Windows security Center.
    • 

  • Detect Debugger: calls CheckRemoteDebuggerPresent which checks if a debugger (in a different process on the same machine) is attached to the current process.
    • 



A screenshot of a computer Description automatically generated with medium confidenceFigure 10: Anti_Analysis function.


Install and Persistence


ASyncRAT’s Install function maintains persistence checks as to whether the user has admin privileges. This occurs by creating a scheduled task to check every time a user logs on (Fig. 11):


“/c schtasks /create /f /sc onlogon /rl highest /tn”


If the process reveals there are no admin privileges, a run registry entry is created in HKEY_CURRENT_USER: “Software\Microsoft\Windows\CurrentVersion\Run”; it then copies itself into a “%temp%” folder with a different name and executes from the temp folder via a batch script (Fig. 12 &13).


Text Description automatically generatedFigure 11: Install function.


Text Description automatically generatedFigure 12: Batch script used for Persistence.


Graphical user interface, table Description automatically generated Figure 13: Registry key used for Persistence.


From there, the attacker can execute various commands on the infected system, including:


• Downloading additional malware (i.e. Remos)


• Executing programs and commands


• Taking screenshots


• Logging keystrokes


• Turning on the microphone and/or webcam to spy on the victim


Detection and Prevention


To detect and prevent ASyncRat attacks, it is important to be aware of the following:


• Suspicious email attachments


• Suspicious network activity


• Slow system performance


• Unusual pop-up windows and error messages


It is also recommended to implement the following best practices:


• Keep software and security systems up to date


• Educate employees on the dangers of phishing emails and malspam


• Use Anti-Virus with real-time protection


• Enable firewalls and limit incoming connections


• Regularly backup important data and store those backups offline


Conclusion


ASyncRat is a malicious RAT that can compromise the security of a target system and allow remote attackers to gain unauthorized access and control. To protect against ASyncRat attacks, it is important to be aware of the signs of infection and implement best practices for cybersecurity. By staying informed and vigilant, organizations and individuals can reduce their risk of falling victim to ASyncRat.


IOCs:


payload.exe (Original Filename: tmp4D28.tmp) (MD5: FCF99858964E59B68B0433B135B499BB)


unpacked_payload.exe (AsyncClientnownow.exe) (MD5: e9d6d1ed7007d55c6a9ec576ff1f0172)


C2 IOCs:


154.12.234[.]207 (wormxwar.ddns[.]net, quasharr.ddns[.]net)


		
		
			




	




	        
 
 Related Posts 
 
						
											
					
 
		

	
	
	
	
		

		
Leave a Comment 
Your email address will not be published. Required fields are marked *