“To a rat, a small hole is like a door.”
Designed to monitor and control compromised systems, AsyncRAT, an open-sourced Remote Access Trojan (RAT) has been utilized extensively by multiple threat actors since its debut on GitHub in January 2019. Its extensive capabilities include keylogging, audio/video recording, info-stealing, password collection, data exfiltration, remote command execution, and more.
In response, AttackIQ has released two specialized attack graphs—offered in our latest Flex packages – aimed to help organizations evaluate and enhance their security controls against AsyncRAT’s tactics, techniques, and procedures (TTPs).
Disease, Lies, & Malware
Rats – in many interpretations – are notorious for spreading infections through subtle, insidious means. In the literal sense, rats, small and insignificant in appearance, are well-known to carry deadly diseases. Colloquially, calling someone a rat connotes a break in trust, suggesting they’ve spread infectious lies and committed betrayal. In this instance, AsyncRAT’s infection chain begins with a seemingly harmless phishing attack.
OneNote Phishing Through HTML Application (HTA) to Malware Deployment
In March 2023, the Splunk Threat Research Team uncovered a campaign using malicious OneNote (.ONE) attachments to lure victims. These attachments prompted victims to click a pop-up warning, which led to the execution of a malicious HTML Application (HTA) file. This HTA file then downloaded and executed an obfuscated batch (BAT) script, eventually deploying AsyncRAT.
Once AsyncRAT is on the system, it seeks to establish persistence through various means, such as creating a scheduled task or using registry run keys. It also leverages SeDebugPrivilege to gain elevated privileges and checks for virtualized environments using Windows Management Instrumentation (WMI) objects. This attack graph (link) maps out each step from the initial phishing attempt to the deployment of AsyncRAT, allowing organizations to test whether their security controls are effectively catching and mitigating this sophisticated infection chain.
Scenarios included in this Package:
- Execute Local HTA Payload with MSHTA
- Discover Windows Computer System Information via “Get-WMIObject Win32_ComputerSystem” PowerShell Command
- Save 2023-01 AsyncRAT Sample to File System
- Save 2023-01 AsyncRAT Batch Script Sample to File System
- Download 2023-01 AsyncRAT Batch Script Sample to Memory
- Save 2023-01 AsyncRAT HTA File to File System
- Save 2023-01 AsyncRAT OneNote Sample to File System
- Persistence Through Registry Run and RunOnce Keys
- Download 2023-01 AsyncRAT OneNote Sample to Memory
- Save 2023-01 AsyncRAT PS Loader Sample to File System
- Enable SeDebugPrivilege Privilege via Native API
- Persistence Through Scheduled Task
HTML Smuggling Leads to Full Infection via Visual Basic Script (VBS)
The concept of rats spreading infections seamlessly continues with AsyncRAT’s use of HTML Smuggling. In October 2023, eSentire reported an infection chain where AsyncRAT was delivered via phishing emails employing this technique. HTML Smuggling involves hiding malicious code within seemingly benign HTML and JavaScript, tricking web applications into executing it. The attack begins with a malicious PowerShell script that downloads a Visual Basic Script (VBS) file. This VBS file is then executed by a scheduled task, which downloads another PowerShell script responsible for deploying AsyncRAT through process hollowing.
Just as rats can spread infections through a network, AsyncRAT uses a chain of scripts and techniques to propagate and evade detection. Once deployed, AsyncRAT seeks persistence and higher privileges, much like in the first attack graph, emphasizing the need for continuous vigilance and testing. This attack graph simulates how AsyncRAT moves from one stage to another, testing whether your security controls can effectively block each phase of the infection chain.
Scenarios included in this Package:
- Process Hollowing
- Save 2023-09 AsyncRAT PS1 Sample to File System
- Download 2023-09 AsyncRAT PS1 Sample to Memory
- Persistence Through Registry Run and RunOnce Keys
- Save 2023-09 AsyncRAT TXT PS1 Sample to File System
- Download 2023-09 AsyncRAT TXT PS1 Sample to Memory
- Discover Windows Computer System Information via “Get-WMIObject Win32_ComputerSystem” PowerShell Command
- Enable SeDebugPrivilege Privilege via Native API
- Execute Encoded Powershell Command
- Save 2023-09 AsyncRAT Sample to File System
- Scheduled Task Execution
- Persistence Through Scheduled Task
- VBScript File Execution via “cscript.exe” Script
- Save 2023-09 AsyncRAT Second VBS Sample to File System
Validate Your Rat Traps with AttackIQ Flex
Included in AttackIQ’s latest Flex packages, these attack graphs play a crucial role in ensuring that your security tools are working properly and trapping these RATs before they trap you. By emulating the behaviors of AsyncRAT, these attack graphs allow organizations to:
- Evaluate Security Controls: Confirm that existing security controls can detect and respond to AsyncRAT’s tactics effectively, identifying and addressing any gaps.
- Assess Security Posture: Understand how well your defenses hold up against one of the most widely used malware families in cybercrime.
- Continuously Validate Pipelines: Regularly test detection and prevention mechanisms to ensure they remain robust against evolving threats.
For a more in-depth look at the tactics, techniques, and procedures deployed within each Flex package, check out our Adversary Research Team (ART)’s recent blog.
