LevelBlue’s evaluation additionally uncovered AsyncRAT’s encrypted configuration file, secured with AES-256, which contained directions to attach again to a DuckDNS-based command and management (C2) server. The C2 communication used customized packet codecs over TCP, a way usually used for flexibility and evasion.
AsyncRAT grants operators entry to highly effective options: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue revealed a listing of indicators of compromise (IoC) for defenders so as to add to their scanners. Further basic greatest practices might embody blocking malicious domains, attempting to find PowerShell one-liners and in-memory .NET reflective hundreds, monitoring for AMSI/ETW tampering, and suspicious scheduled job creation.
Risk actors are more and more leaning towards fileless intrusions, drawn by their quiet execution and dependable outcomes. Earlier this yr, attackers have been caught utilizing an identical approach, phishing a malicious VBScript that in the end delivered the favored Remcos RAT in-memory on sufferer machines.
