Title: Persistent Threat Actor Delivers AsyncRAT Through Phishing Campaign
What is AsyncRAT?
AsyncRAT is an open-source remote access tool that was released in 2019 and remains accessible on Github. Being freely available, it has become one of the most commonly used RATs due to its versatility. It can be utilized as a Remote Access Trojan, offering keylogging, exfiltration techniques, and initial access staging for delivering final payloads. The RAT has been featured in several campaigns, including its use by the APT Earth Berberoka as reported by TrendMicro.
While the AsyncRAT code itself is constantly changing and obfuscated, the network infrastructure associated with it exhibits certain common characteristics. Most domain structures linked to AsyncRAT share similarities such as having a top-level domain (TLD) consisting of eight random alphanumeric characters, being registered under ‘Nicenic.net, Inc’ as the registrar, and having a country code for South Africa (ZA). These domains are typically created a few days before they are used, and researchers have also identified a Domain Generation Algorithm (DGA) that generates new domains automatically based on the current date.
The ongoing campaign to deliver AsyncRAT demonstrates the determination of the threat actors involved. Their efforts to constantly modify and obfuscate the malware, as well as the use of multiple domain names, highlight their commitment to remaining undetected. However, AT&T Alien Labs’ research has allowed for the identification of various patterns and characteristics associated with the campaign. The registration of domains and continuous observation of AsyncRAT samples will aid in ongoing efforts to mitigate this threat.
– AT&T Alien Labs has discovered a persistent campaign delivering AsyncRAT through phishing emails.
– AsyncRAT is an open-source remote access tool that can be leveraged as a Remote Access Trojan.
– The network infrastructure associated with AsyncRAT exhibits specific characteristics, such as domain structures and hosting providers.
– Ongoing research and analysis by AT&T Alien Labs will help in identifying and mitigating this threat.