Threat Analysis Unit - Threat Intelligence Notification
Summary
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. The following Figure 1 is showing part of the screenshot of AsyncRAT Panel Menu.
Figure1: AsyncRAT Panel Menu
This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against AsyncRAT.
Behavioral Summary
Depending on the configuration taken from the attackers in AsyncRAT panel, the features it provides can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions.
The features are including: (Reference from here)
- Client screen viewer & recorder
- Client Antivirus & Integrity manager
- Client SFTP access including upload & download
- Client & Server chat window
- Client Dynamic DNS & Multi-Server support (Configurable)
- Client Password Recovery
- Client JIT compiler
- Client Keylogger
- Client Anti Analysis (Configurable)
- Server Controlled updates
- Client Antimalware Start-up
- Server Config Editor
- Server multiport receiver (Configurable)
- Server thumbnails
- Server binary builder (Configurable)
- Server obfuscator (Configurable)
- And much more!
Figure 2: Depends on the configuration, AsyncRAT can perform many harmful activities such as disabling Windows Defender. (Process Chart from CB Response)
Other than that, CB Defense will display the malware’s overall triggered TTPs.
Customer Protection
Cb Defense
The recommended policy for CB Defense at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from Carbon Black Cloud reputation service.
The following enforcement rule will also detect and terminate activity related to this malware family. It is recommended that customers test these rules prior to deploying enterprise wide.
| PROCESS |
OPERATION ATTEMPT |
ACTION |
| Not listed application |
Communicates over the network |
Deny Operation |
| Unknown application or process |
Communicates over the network |
Deny Operation |
As always, our best practice recommendation is to deploy this rule to a small subset of sensors, assess, then define permissions to reduce any false positives. After confirming no false positives in your environment, deploy across additional groups.
The following CB Defense Alert queries can be used to search for events associated with this malware.
UNKNOWN_APP AND RUN_CMD_SHELL AND ENUMERATE_PROCESSES
The Carbon Black Cloud Threat feeds will detect the known hashes for this malware. Customers can also blacklist known SHA256 hashes, the most prominent of which are located in the IOC section of this report.
Cb Protection
The most effective way of blocking this malware is by running CB Protection in High or Medium enforcement.
Implementation: Customer with CB Protection in High or Medium enforcement are protected.
Customer Action: Ban known hashes from the IOC in environment
Cb Response/Cb Threat Hunter
The Carbon Black Cloud Threat Feeds will detect the known hashes for this malware. Customers can blacklist known hashes as well, which are located in the IOC section of this report.
Many existing queries that are located in the MITRE ATT&CK, SANs, CB Endpoint Visibility, and CB Advanced Threat feeds will also alert on characteristics associated with this family.
In CB Response and CB Threat Hunter, this malicious attack can be detected by creating a watchlist for:
| Product |
Query |
| CB Response |
digsig_result:Unsigned netconn_count:[1 TO *] childproc_count:[50 TO *] regmod:"\windows defender\disableantispyware" |
| CB Threat Hunter |
process_publisher_state:FILESIGNATURE_STATE_NOT_SIGNED AND netconn_count:[1 TO *] AND childproc_count:[50 TO *] AND regmod_name:"\windows defender\disableantispyware" |
Implementation: As always, our best practice recommendation is to tune for any false positives before creating new watchlists.
Customer Action: Test and Deploy Watchlist and blacklist known hash values. For any hits, investigate the file modifications, network connections, cross process injection(s) and child processes.
Remediation:
MITRE ATT&CK TIDs
| TID |
Tactic |
Description |
| T1005 |
Collection |
Data from Local System |
| T1123 |
Collection |
Audio Capture |
| T1125 |
Collection |
Video Capture |
| T1082 |
Discovery |
System Information Discovery |
| T1083 |
Discovery |
File and Directory Discovery |
| T1087 |
Discovery |
Account Discovery |
| T1063 |
Discovery |
Security Software Discovery |
| T1107 |
Defense Evasion |
File Deletion |
| T1105 |
Command and Control, Lateral Movement |
Remote File Copy |
| T1043 |
Command and Control |
Commonly Used Ports |
| T1132 |
Command and Control |
Data Encoding |
| T1002 |
Exfiltration |
Data Compressed |
Indicators of Compromise (IOCs)
| Indicator |
Type |
Context |
| cb5d8d1841cea541cadb4f20a99706325d84b1eb94d18cc254d14600960d5ee2 |
SHA256 |
AsyncRAT |
| 7088fe608444abff9268cc3af57f69e6 |
MD5 |
AsyncRAT |
About TAU-TIN
For more information about TAU-TIN or to receive future notifications, follow the instructions in our About TAU-TIN post.