Full Report
ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants
Analysis Summary
# Tool/Technique: AsyncRAT and Forks (DcRat, VenomRAT, JasonRAT, XieBroRAT, NonEuclid RAT)
## Overview
AsyncRAT (asynchronous remote access trojan) is an open-source Remote Access Trojan (RAT) developed in C#, known for its modular architecture and widespread proliferation through numerous forks. These variants often inherit or enhance the core RAT capabilities, such as keylogging, screen capturing, and credential theft, making AsyncRAT a significant and adaptable threat.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows (Inferred from C# development and functionalities like AMSI patching)
- Capabilities: Keylogging, screen capturing, credential theft, remote access, modular/plugin architecture. Forks introduce capabilities like crypters, ransomware, Discord token theft, webcam/microphone access, and evasion techniques.
- First Seen: 2019 (Original AsyncRAT)
## MITRE ATT&CK Mapping
The following mappings are derived from the documented capabilities of AsyncRAT and its major forks (DcRat, JasonRAT, NonEuclid RAT):
- [T1562 - Impair Defenses]
- [T1562.001 - Disable or Modify Tools] (e.g., DcRat terminates Taskmgr.exe, MsMpEng.exe)
- [T1562.004 - Disable or Modify System Firewall] (DcRat leverages AMSI and ETW bypasses)
- [T1027 - Obfuscated Files or Information]
- [T1027.013 - Encrypted/Encoded File] (JasonRAT uses modified Morse code and obscure variable names)
- [T1539 - Steal Web Session Cookie] (DcRat steals Discord tokens)
- [T1555.003 - Credentials from Password Stores: Credentials from Web Browsers] (XieBroRAT uses a plugin to collect browser credentials)
- [T1110.003 - Brute Force: Password Spraying] (NonEuclid uses a plugin to brute force SSH/FTP credentials)
- [T1614.001 - System Location Discovery: System Language Discovery] (NonEuclid collects geolocation data)
- [T1123 - Audio Capture] (DcRat has microphone access plugin)
- [T1125 - Video Capture] (DcRat has webcam access plugin)
- [T1115 - Clipboard Data] (NonEuclid monitors and replaces cryptocurrency wallet addresses)
- [T1486 - Data Encrypted for Impact] (DcRat features a ransomware plugin using AES-256)
## Functionality
### Core Capabilities
* **Remote Control:** Provides asynchronous remote access capabilities typical of a RAT.
* **Information Gathering:** Includes keylogging and screen capturing abilities.
* **Credential Harvesting:** Designed to steal sensitive user information.
* **Evolutionary Base:** The open-source nature allows for easy modification and the creation of numerous forks.
* **Historical Link:** Shares cryptographic similarity (identical `Aes256` implementation) with the older Quasar RAT, suggesting influence.
### Advanced Features (Specific to Forks)
* **DcRat:**
* Uses MessagePack for efficient binary data serialization.
* Implements AMSI and ETW patching to bypass security logging/scanning.
* Features an anti-process system to terminate security/debugging tools (e.g., Taskmgr.exe, ProcessHacker.exe, MsMpEng.exe).
* Plugin-based expansion including webcam/microphone access, Discord token theft, and a ransomware module using AES-256.
* **NonEuclid RAT:** Utilizes plugins for geolocation discovery, SSH/FTP brute-forcing, and clipboard monitoring for crypto wallet replacement.
* **JasonRAT:** Employs obfuscation techniques like modified Morse code for its implementation.
## Indicators of Compromise
*Note: Specific forensic artifacts like hashes, C2s, and file paths are generally unique to specific campaigns leveraging AsyncRAT forks and are not provided in the context. The following are general behavioral indicators.*
- File Hashes: [Specific IOCs need to be extracted from the full campaign reports associated with specific samples listed (e.g., $3E6CD9D07B8ECE706697F332AC9F32DE5ECAF086, $FF4592A8BCB58F5CF6BD70B882E886EC6906EECD)].
- File Names: `tempClient.exe`, `Servant.exe` (Example from context).
- Registry Keys: [Not specified in context]
- Network Indicators: C2 communication established based on asynchronous connection requirements. (Defanged examples placeholder: `c2[.]example[.]com`)
- Behavioral Indicators: Termination of security processes (MsMpEng.exe), excessive network connections post-initial execution, modification of registry keys related to persistence (common RAT behavior), AMSI or ETW patches observed in memory or module loading activity.
## Associated Threat Actors
The open-source nature means usage is broad, but the context implies widespread use across various cybercriminal campaigns. Specific named actors leveraging the documented forks are not explicitly detailed in the summary provided.
## Detection Methods
- Signature-based detection: Signatures targeting known file hashes or specific strings/structures of the obfuscated binaries.
- Behavioral detection: Monitoring for attempts to disable known security mechanisms such as AMSI or ETW events. Detecting dynamic loading/reflection common in C# malware. Monitoring for process termination of legitimate security tools (Taskmgr, MsMpEng).
- YARA rules: Rules targeting unique constants, cryptographic class structures (`Client.Algorithm.Aes256`), or specific string indicators found in the derivative variants.
## Mitigation Strategies
- Prevention measures: Employ Application Allowlisting to restrict execution of unauthorized binaries. Use robust Endpoint Detection and Response (EDR) solutions with strong behavioral monitoring capabilities.
- Hardening recommendations: Ensure robust access controls. Regularly update host operating systems and security software to counter known bypasses (like specific ETW patching mechanisms). Educate users regarding phishing which often initiates RAT deployment.
## Related Tools/Techniques
* **Quasar RAT:** Influenced the development of AsyncRAT, sharing similar cryptographic implementation patterns.
* **Other Open-Source RATs/Backdoors:** Similar tools leveraging modularity and open-source distribution models.