AsyncRAT Campaign Exploits Microsoft Processes

New attack behaviors from AsyncRAT, a Remote Access Tool renowned for its keylogging and remote desktop control capabilities were uncovered by threat analysts from Trend Micro's Managed XDR (MxDR) team.  The team has identified a sophisticated method used by attackers involving the hijacking of aspnet_compiler.exe, a legitimate Microsoft process designed for precompiling ASP.NET web applications. This tactic demonstrates further expansion in adversary techniques, signaling an evolution in their approach to deploying the AsyncRAT payload. Trend Micro threat analysts emphasize the relevance of AsyncRAT infections as its operators consistently demonstrate their ability to adapt and employ "different techniques." AsyncRAT's relevance in the threat landscape is further supported through its submissions on the malware analysis platform, Any.Run having consistent submissions placing the commodity malware on the platform's top ten "weekly malware trends over the past few months."

The infection process of AsyncRAT is intricate, with an observed timeline lapse of under six minutes from the initial download of a password-protected ZIP file to the injection into aspnet_compiler.exe and subsequent C2 activities. The attack unfolds with the download and extraction of the ZIP file, which contains a series of malicious scripts. The scripts, including .wsf, .vbs, and PowerShell, are executed following the extraction of the ZIP file. Trend Micro notes the layered execution of scripts "as a means of evading detection." These scripts not only facilitate the deployment of AsyncRAT but also establish its persistence in the system via scheduled tasks. The most notable aspect of this RAT's infection strategy is process injection into aspnet_compiler.exe, which allows for the discreet execution of its payload. This evasion technique is part of a broader trend observed by Trend Micro, where attackers leverage various scripts and dynamic DNS services to evade detection and maintain stealth.

Trend Micro's investigation into AsyncRAT infections provides vital insights for cyber detection engineers, the AsyncRAT campaign underscores the need to monitor for unusual script activities, process injection techniques, and unexpected network connections, as these behaviors can serve as key indicators of an infection. The RAT's ability to dynamically select hosts and ports for its communication infrastructure adds to its resilience and adaptability. Furthermore, AsyncRAT is designed to gather crucial data from infected machines, including usernames, system information, installed antivirus software, and cryptocurrency wallet details. This information is exfiltrated to the attacker-controlled server for potential malicious use.