Full Report
2025-06-05 • Hunt.io • Hunt.io • win.asyncrat, win.xworm Open article on Malpedia
Analysis Summary
# Tool/Technique: XWorm and AsyncRAT deployed via Paste.ee
## Overview
This summary pertains to an operation where threat actors utilized the public online notepad service Paste.ee to host and disseminate payloads for two distinct remote access trojans (RATs): XWorm and AsyncRAT, leveraging this method to establish communication across a global Command and Control (C2) infrastructure.
## Technical Details
- Type: Malware Families (XWorm and AsyncRAT)
- Platform: Windows (Inferred from associated malware)
- Capabilities: Remote Access, Execution, Data Exfiltration (typical for RATs)
- First Seen: Not explicitly stated, but the report is dated 2025-06-05.
## MITRE ATT&CK Mapping
*Note: Specific techniques are inferred based on the nature of deploying and using RATs like XWorm and AsyncRAT, and reliance on external services (Paste.ee).*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol]
- [T1071.001 - Web Protocols] (Likely used for C2 communication after initial infection)
- [TA0005 - Defense Evasion]
- [T1027 - Obfuscated Files or Information] (Using Paste.ee as an intermediary might be part of this)
- [TA0002 - Execution]
- (Techniques for execution of the downloaded payload are implied)
## Functionality
### Core Capabilities
- **Payload Staging:** Utilizing Paste.ee content (likely base64 encoded commands or direct links) to retrieve and execute the malicious payloads (XWorm and AsyncRAT).
- **Remote Access:** Providing threat actors with remote control over compromised systems via the respective RATs.
### Advanced Features
- **Dual RAT Usage:** Employing both XWorm (often associated with banking malware features or general RAT capabilities) and AsyncRAT (a popular, feature-rich RAT) suggests different operational goals or layered persistence mechanisms.
- **Infrastructure Blending:** Abusing legitimate, widely used public services (Paste.ee) for payload hosting to bypass initial network perimeter security checks.
## Indicators of Compromise
*Note: Specific IoCs are not provided in the context, only the method of delivery.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided, but C2 traffic from XWorm/AsyncRAT would be expected]
- Behavioral Indicators: [Inbound network connections initiated by the installed RAT malware; network traffic patterns matching known XWorm or AsyncRAT C2 protocols.]
## Associated Threat Actors
- [Threat Actor identity not specified in the provided description, but the analysis appears external, attributed to Hunt.io's research.]
## Detection Methods
- [Signature-based detection] on the known binaries of XWorm and AsyncRAT.
- [Behavioral detection] monitoring for scheduled tasks, unexpected outbound connections associated with RAT protocols, or suspicious process injection stemming from executed payloads.
- [YARA rules] targeting known static strings or structural components within the XWorm and AsyncRAT samples.
## Mitigation Strategies
- [Prevention measures] Restricting execution of downloaded or dynamically retrieved scripts/executables.
- [Hardening recommendations] Implementing strong egress filtering to monitor or block communication to known CnC infrastructure used by XWorm and AsyncRAT families, even if the initial staging occurred via Paste.ee.
- Monitoring for abnormal access patterns to external text-sharing sites for execution artifacts.
## Related Tools/Techniques
- **Malware:** XWorm, AsyncRAT
- **Techniques:** Living off the Land (LotL) techniques for downloading/executing code; Use of legitimate web services for C2/payload hosting.