Wednesday, April 30, 2025
HomeCyber Security NewsAsyncRAT Malware Attacking the US Infrastructure for 11 Months

AsyncRAT Malware Attacking the US Infrastructure for 11 Months

Published on

SIEM as a Service

Follow Us on Google News

AsyncRAT is an open-source remote access Trojan (RAT) malware known for its ability to provide unauthorized access and control over infected systems. It was released in 2019. 

Hackers use it actively for various malicious purposes, including:-

  • Data theft
  • System manipulation
  • Surveillance
  • Cyber espionage
  • Keylogging
  • Exfiltration techniques
  • Initial access staging for final payload delivery

Cybersecurity researchers at AT&T recently discovered that AsyncRAT malware has been actively attacking the US infrastructure for 11 months.

- Advertisement - Google News

AsyncRAT Malware

APT Earth Berberoka has used this RAT, and recently, AT&T Alien Labs noted a phishing spike in September targeting individuals with gif attachments leading to:-

  • SVG file
  • Obfuscated JavaScript
  • PowerShell scripts
  • AsyncRAT execution
Number of samples observed (Source - AT&T)
Number of samples observed (Source – AT&T)

The loader’s stages are obfuscated by the C&C server that checks the victim for sandbox before deploying the AsyncRAT payload. C&C redirects to a harmless page when parameters are not met. 

JavaScript files delivered via phishing with obfuscated strings like:-

  • Melville
  • church
  • chapter
  • Scottish

Meanwhile, the loader versions vary for each victim with randomized variable names, constants, and URL representation. After the GET request, C&C sends base64 script XOR’ed against a hardcoded key, unpacked with Gunzip, and executed flawlessly in PowerShell.

Execution flow (Source - AT&T)
Execution flow (Source – AT&T)

The C&C values like 1b (VM False) are correct, while 2c (VMWare) and other wrong answers have higher values. C&C may have a table of valid responses or a value range that helps in avoiding brute force.

Anti-sandboxing technique evades popular sandboxes. Invalid answer redirects to Google or returns a new script reaching out to payload in temp[.]sh with $url variable. 

However, besides this, the temp[.]sh link is consistent across samples and time, which helps in hosting the files for three days with new randomized URL paths.

The code dynamically changes and is heavily obfuscated for detection evasion, but network infrastructure remains consistent. 

The samples use a variety of domains that are frequently updated, and among them, the common domains include:-

  • sduyvzep[.]top
  • orivzije[.]top
  • zpeifujz[.]top

Here below, we have mentioned all the characteristics that are followed by the domain structure:-

  • Top Level Domain (TLD): top
  • 8 random alphanumeric characters
  • Registrant organization: ‘Nicenic.net, Inc’ (the registrar)
  • Country code South Africa (ZA)
  • Created a few days before its use

The Domain Generation Algorithm (DGA) calculates a unique domain every seven days and on every Sunday, it generates a new one. 

The seed, which is derived from the day of the year, undergoes modifications for variation that includes changes to other variables and characters in the scripts. 

This strategy helps threat actors avoid detection and blocking by automatically changing the C&C domain over time.

IOCs

IoCs (Source - AT&T)
IoCs (Source – AT&T)
Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

AWS Defaults Open Stealthy Attack Paths Enabling Privilege Escalation and Account Compromise

A recent investigation by security researchers has exposed critical vulnerabilities in the default IAM...

China-Linked Hackers Targeting Organizational Infrastructure and High-Value Clients

A leading U.S.-based cybersecurity firm, sophisticated cyber-espionage campaigns attributed to Chinese state-sponsored actors have...

Docker Registry Vulnerability Lets macOS Users Access Any Registry Without Authorization

A recently discovered vulnerability in Docker Desktop for macOS is raising concerns in the developer and...

PowerDNS DNSdist Vulnerability Let Attackers Trigger Denial-of-Service

PowerDNS has issued an urgent security advisory for its DNSdist software, warning users of...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AWS Defaults Open Stealthy Attack Paths Enabling Privilege Escalation and Account Compromise

A recent investigation by security researchers has exposed critical vulnerabilities in the default IAM...

China-Linked Hackers Targeting Organizational Infrastructure and High-Value Clients

A leading U.S.-based cybersecurity firm, sophisticated cyber-espionage campaigns attributed to Chinese state-sponsored actors have...

Docker Registry Vulnerability Lets macOS Users Access Any Registry Without Authorization

A recently discovered vulnerability in Docker Desktop for macOS is raising concerns in the developer and...