AsyncRAT Injector - Malware Analysis Lab

27 minute read

Technical Analysis of an AsyncRAT downloader, reflective loader, injector, and perfoming AES decryption using CyberChef

Overview (AI generated from video):

Summary

A new malware has been shared on Malware Bazaar, received from B3 ac22 D9 f8 ATB box Pro through SendGrid. The malware is hidden in an ISO file and uses various obfuscation techniques to bypass security products.

Timestamps

0:40 ⏱️ The malware is shared on Malware Bazaar, received from B3 ac22 D9 f8 ATB box Pro through SendGrid.
2:10 ⏱️ ISO files are commonly used to hide malware and bypass security products.
7:25 ⏱️ The malware uses obfuscation techniques to hide its malicious contents.
12:35 ⏱️ The malware leverages an infected WordPress website to serve as its payload source.
18:50 ⏱️ The malware employs AES decryption and encryption schemes to hide and protect its payload.
21:45 ⏱️ The malware is identified as AsyncRAT, a freely available remote access trojan.
23:10 ⏱️ The malware uses various techniques to achieve persistence and execute its malicious activities.

Key Insights

💡 The use of ISO files as a delivery mechanism for malware highlights the importance of thorough file analysis and the need for strong security measures to detect and prevent such threats.
💡 The malware’s obfuscation techniques demonstrate the lengths that attackers go to in order to evade detection and make analysis more difficult for security researchers.
💡 The compromise of a legitimate website to serve as a payload source highlights the need for website owners to prioritize security and regularly update and patch their systems.
💡 The AES encryption and decryption schemes used by the malware indicate the use of strong encryption algorithms to protect its payload and communication, making it harder to detect and analyze.
💡 The identification of the malware as AsyncRAT emphasizes the prevalence of freely available remote access trojans and the need for proactive measures to detect and mitigate their impact.
💡 The malware’s persistence mechanisms and ability to execute its activities demonstrate the sophistication and complexity of modern malware, requiring comprehensive security solutions to effectively detect and respond to such threats.
💡 The analysis process showcased the use of tools like CyberChef and the importance of manual analysis and understanding of encryption schemes to uncover the malware’s capabilities and behavior.

Transcript (AI generated from video):

00:00:00	let's take a look at some new malware that's been shared by cocoman on malware Bazaar so it has been received from this B3 ac22 D9 f8 ATB box Pro now this has been relayed through send grid and it has an attachment that is an invoice so we've got invoice Bill and it is an ISO file now if we take a look at the TR ID associated with this we can see that it's picked up that 88.7% of this file is likely just null bytes so isn't actually a part of the file itself now I've got it downloaded and if we open it
00:00:32	up in a hexadecimal editor we can actually see that the vast majority of these bytes are null bytes just to kind of blow out the size of the file I guess if you've been around for a while you know that there used to be something known as floppy discs and shortly after that came something known as Optical discs now these Optical discs that's essentially what an ISO file is it's the file that can be burnt to something like an optical disc and it's the representation the standardized format associated with that on later versions
00:00:59	of windows one of the features that Windows enabled was that you can mount ISO files natively by double clicking on them so if I double click on this file it will actually Mount as a drive so now this is the D drive that I have open here and I'm no longer on my C drive it's just mounted now if I double click it again it knows that it's already mounted and it stays there as a DVD drive that's been opened but to a user maybe it'll look like a folder being open maybe it'll look like some sort of zip either way the fact of the matter is
00:01:29	these ISO form formats have been used quite extensively to try and bypass security products actually picking up that they have malicious contents inside of them now if I look at this you'll notice that a dobat is actually a bit grayed out compared to this VBS script and that's because it is a hidden item it's been set to hide inside of this ISO now if I disable viewing of that we only see the VBS script now this still doesn't make a lot of sense to me it's not like they're trying to masade this
00:01:56	as the actual invoice I guess it obviously works so that they don't need to and they've just said yeah I'm sure someone will double click on this and think that it's an invoice this probably won't be that big and if we go and edit it you can actually see that all it's going to do is run a w script shell that then kicks off a dobat now a dobat is the other file that we have so this is where we want to follow our analysis efforts so let's take a look at this but first I want to just highlight that now
00:02:24	we've got this drive mounted even if we right click this and eject it there is actually something that sits within the Windows event logs that can log that that mount has occurred now I do have a on liner on my website and if you are interested in Powershell one liners and kind of digital forensics and incident response check out this cheat sheet I'm sure you'll find it useful let's take a look at what we can do though I'm just going to run this and I guess it says nothing meet my criteria so that's
00:02:50	actually a bad example if we uh remove the fact that we were looking for that particular ID I guess I'll update my website and just look more broadly we can actually see evidence of this ISO becoming surfaced as a disk so vhd so we have that ISO file that was sitting in our downloads directory and we can see when it was both mounted and unmounted so surfaced and unsurfaced so now we have good time stamps Associated when they mounted the iso and when they unmounted the iso so let's go back and continue our analysis
00:03:24	now we've got a dobat and what does this actually kickoff well it looks like there's a bunch of stuff here that probably doesn't make a lot of sense to us but then we get to the Crux of what we need to look at all of this probably isn't needed but we can actually begin to make out some things in this script and I'm going to open it up in notepad++ just so that I can edit it a little bit easier so all of this stuff immediately gets picked up as hey this is probably not relevant it gets highlighted as such
00:03:53	what I'm going to do is I'm going to copy it out and then do some analysis so we can copy this directly from the image file and just dump it on our desktop so now I'm going to open this up so now we've got a file that we actually can edit let's go ahead and delete the useless characters here so now we can see that essentially what it's trying to do is replace any value that is defined as a with the letter e so let's go ahead and do that what we're going to do is we're just going to take that and we're
00:04:19	going to replace that with the letter e that's all we need to do now there are some characters that are completely irrelevant so the carrot symbol basically this one if we replace that with null bytes that's all we need to do that is not going to be used anywhere throughout the actual script so now we can actually see pretty much what's going to happen it's going to spawn a Powershell process and this is going to be defining a bite array and invoking in memory and it's trying to download so we have this tool here and I'm sure that's
00:04:49	being replaced somewhere it is so download string not a lot of obfuscation going on here but it's pulling its next payload from this particular URL now unfortunately this is actually a legitimate website that's been compromised you can see wpen admin which is a clear indicator that this is a WordPress based website and the WordPress website has likely been compromised and it's been used to serve some sort of malware so this im. PNG it's posing as a PNG file but I doubt it's actually a PNG file and if we
00:05:21	actually try to scan this there is something to keep in mind if you try to scan it with a tool such as URL scan. I because it's got a PNG extension it will actually stop you from scanning it but you can get around that by appending to the PNG extension so you could put a question mark at the end which is essentially a parameter and that will allow you to still scan the PNG file now you'll notice that it doesn't look like a PNG file we just have a broken image icon here because it's trying to interpret it as a PNG but it isn't now
00:05:53	if we look at the response we can actually see the next part of our payload this is where we need to focus the next part of our analysis now if I zoom into this we can take this one step at a time first off it's defining a directory where it's going to likely be storing payload so this program data Express now it takes a little bit of a rest so it sleeps for 2 seconds and then it starts to Define its content now the content defines a couple of functions so binary to string and hexa to bite now what we want to do is understand what is
00:06:26	being passed to those functions and if we scroll down we can see a 4D 5A now this is a good indication that this is going to be the MZ header associated with a PE file so it does look like there are two PE files potentially under serve and data that are sitting ready to be invoked in memory and if we go down further you can see some pretty generic obfuscation but let's take all of this so that we can perform some sort of data manipulation and understand what's going on so I'm going to start a new file and
00:06:57	paste all of this in now first up I want to understand what is happening here with this at symbol so it does look like when it is invoked the hexa to bite on both serve and data there is a replace operation that occurs on the at symbol to replace it with the number zero pretty straightforward which means if we take these and replace the value of at with zero then what it's going to be doing is converting them to their bite chart equivalent so that's where this base six comes in and that's just going to give
00:07:32	them the raw byes that are going to be able to be used so what I'm going to do is I'm going to take this and I'm going to throw in cyers we have the first one in cyberchef what I'm going to do is I'm just going to replace place the at symbol with a zero and we can see that it is identified as a Windows portable executable so we have our next part of the payloads here so I'm going to download it as let's say payload or actually this was the this was serve so let's call this serve exe and we'll put that in our downloads then
00:08:02	I'm going to also grab the next part which is data and data has the same operation occurred on it we take that we remove that we have that we do see it's a PE file we save this as data so now we have both serve and data. exe and we want to do some more analysis on that but first let's just double check that there's nothing else happening in this script that's of interest there is a definition of mxu and infv now that seems to be the method and invoke and what it's doing is it will replace these
00:08:36	hashes with the number zero or the hashes with the number one and then it will convert that from binary so once again let's throw this into cyberchef we're going to do a simple replace replace that with zero and that can be execute so we know that that value is going to be execute so we can actually just change this to the value execute and now the invoke method we're going to do the same thing except replace it with the number one and so this is going to be invoke it was not that uh obfuscated
00:09:06	but this is going to be something that we need when we get down to the bottom of this method here looking down it does seem to be a little bit more that goes on so let's just continue on while we've got this we know that the hashes are really not doing anything in this script so what we're going to do is just replace all of that with nothing all right so now we can actually begin to see something a bit more interesting let's remove the pluses as well let's replace that with nothing and now we can
00:09:33	see all right this is going to be using it does look like this is meant to be wrapped it's going to be using the microsoft.net Frameworks ASP net compiler and this is likely going to be used to inject into it as this is specified as a path so really what we want to do is understand what's happening in E3 here and E3 is going to be the method defined by E2 E2 is going to be the type g. local and that is going to be what is loaded from txy and this is going to be our data so we have to understand what's happening in data
00:10:09	now in order to progress so I will know that this is using reflection and it's using load so what that's telling me is that these are going to be net binaries and these are going to be exposed methods that can be loaded in this kind of manner because of that we can open it up in something like d spy so let's open it up so I will point out that what is actually happening is that all of this is being defined in that content variable and that content variable is going to be written to a file at that
00:10:39	Express Co l. PS1 and then that is going to be invoked with Powershell but not before it kills the existing Powershell process that starts running so this task kill command is going to go off kill Powershell and then it's going to run a different Powershell script here something to be aware of then you can see that it does set a value of a batch file here that is also going to be what is defined in the content variable except this time the content variable gets overwritten so really what is happening is it's setting all of this
00:11:15	inside of this PS1 script and then it's creating something with the same variable name so it's replacing what was in that variable and it's creating something that kicks off a Powershell script after it kills the existing Powershell processes then it's going to specify that this should be a batch script so the batch script is going to launch the Powershell script then we go down and we can see more content that is going to be written to a file this time it's going to be a Visual Basic script that gets
00:11:47	written to and then after that it looks like it's going to be doing the same but creating persistence that then has a Visual Basic script that kicks off everything else bit of a mouthful anyway let's take a look at the actual binaries that is then going to be loaded into memory what we're going to do is we're going to open up DN spy let's zoom in a bit maybe not that much let's go file let's open it up let's take a look we do have data we have serve dat is what I'm currently interested in you can see git
00:12:20	you can see reference to copyright 2022 let's go and see what we can find first off we had the git local that was specified and it does look like this is fairly obvious gated all right maybe we need to do some Deus gation of this let's see what we can de obus gate first so I'm just going to run on these tool known as de4 dot against those binaries and this is a net de obvious Gator let's see what we find so we can see that it's detected it has used the confuser ex in order to make it a bit more difficult to
00:12:51	understand and I'm assuming that if we also have that on one binary we're going to have that on the other except the other seems to be an unknown obvious dat interesting let's open back up DN spy and see what we find I'm just going to go ahead and remove the previous binary that I added and now I'm going to open up the new one now if we expand this out and we begin to look at what it had it does look like the local method has been deobfuscated slightly so that's good for us we can see that there is this method
00:13:21	called execute and this is really what we're interested in because we know that this is what's going to be loaded it also has a path and a payload so if we go back and we look at what we had we know that this is going to be passing in some parameters so that invoke it's using the method that is execute and invoke so we have execute these are the parameters that's to do with starting up the process over here are the two parameters that are going to be provided to that method so path do replace in
00:13:51	this case we know that path is the aspet compiler and then this variable which we know is going to be the s RV payload we have that payload which is going to be injected into that ASP net compiler and we know that injection is occurring because we can see API calls like ZW unmap view of section read process memory virtual Alec X and right process memory all of these which are associated with injection let's go ahead and open up the payload that's going to be injected into aspnet compiler so we do
00:14:24	have the serve cleaned and serve is what we are actually looking for we can see that this had instead a name that was DDD so the other one is the loader this is the payload and what we want to do is understand when this in is invoked what is actually invoked within it and there might not be a particular method that's going to be invoked so we can go to the entry point of this binary and that's going to be the main method that's going to be launched so it does look like straight up it sleeps there also seems
00:14:54	to be these variables with a lot of environment. exit so this is telling me that it will just terminate in a lot of situations but let's see if we can find out why it will terminate let's see if we can find out more something from a base 64 string and the string is what's defined here which is what's passed to this let's see if we can see any uses of this so we can there is one used by which is this one which means we have the string defined here and it does look like there are a number of strings that are base 64 encoded and
00:15:27	if they're just base 64 encoded there's probably not a lot to it so let's go ahead and take all these strings that look to be Bas 64 encoded I'm actually just going to copy the whole lot cuz this doesn't look too large going to clear out my recipe and I'm just going to paste it in now I want to use some Rex and I also want to have the base 64 from base 64 I'm going to take this alphabet I'm going to make that the Rex I'm going to say anything 30 or higher and what I want it to do is just highlight at the moment and ites does
00:15:59	look like it's picked up on a lot of the B 64 encoded strings if not all of it so let's list the matches and it does look like we have b64 here now and let's say from Bay 64 so it looks like there's probably something else that's happening here because this has not given us any kind of plain teex strings that then we can work with so it's probably not as simple as just taking it and going from base 64 so let's actually dive in and do some manual analysis because Dynamics just a little bit too easy sometimes and
00:16:28	try to understand what this is doing so for each and every one of these methods cuz it does look like this is all probably some configuration of the mare I want to understand what these are doing it looks like there are the base 64 encoded strings that we know have probably got some sort of encryption on them so let's take a look at how we can Implement AES decryption schemes in something like cyberchef it's really not the nicest method of doing it and you could probably do better by creating a
00:16:55	python script but for the ease of demonstrating how we can actually Implement these and understanding how AES encryption and decryption schemes are working in this malware let's take a look at how it can be done in cybership so first off we have to understand what these strings are doing this is getting a string from a base 64 string this base 64 string is defined here as a static string so we're going to need to take that because it's being used in the next function the next function is driving
00:17:24	using RFC 2898 now this is a password based key derivation function so pbk DF and what this is doing is using a password assault and an number of iterations and a hashing scheme deriving a secret password if you don't have all these things in order you're not going to get the password needed to be able to form the AES decryption so what we're going to do is understand what's being passed here we already have the master passw the master key because this is stored in plain text this was the b64 encoded
00:17:58	string then then we have a salt so this is being defined as this NY a and then we have a number of iterations we have 50,000 iterations and the salt is what's stored Within These bytes so what we're going to have to do is use these bytes let's jump over to cyber shift what I've done is I've copied the bites in and they had a space so I just did a find and replace to remove that and then what I'm doing is converting it from decimal to something that is raw and then from there I want it in a hex decimal format
00:18:30	as it's easy to work with I could also do it as a Bas 64 encoded format so what I've actually got is an output that can be used this output is the salt that's going to be used in our encryption scheme let's head back over to the malware though so we first have to derive that key we have to look at how it's being used in the AES decryption routine and this seems to be in this ATP Q method so if we head over here it's going to convert from a base 64 string then it's going to pass it through to this function and what this is doing is
00:19:01	taking it and Performing the as decryption on it the key things that we want to know here is kind of the ciper mode the padding scheme because it's got the pkcs7 this is going to work nicely if it's not using this padding scheme it can be a lot more challenging to actually do this in cyberchef the key size is 256 which is what we're going to need to know so let's head on over to cyberchef with this new knowledge in cyberchef we want to derive the key key now we have the pass phrase this N3 L as
00:19:33	this is what was passed to this function the n3l is here that's our passphrase now we need the key size that's why we had to look at this new encryption routine in order to understand the key size that's being used so in this case it's 256 we have 50,000 iterations that's because this has come from deriving the key with the 50,000 iterations and it is the hashing function sh one we didn't actually see that come up but if you look at how RFC is defined here it's using the hashing algorithm sh one that's how we know that
00:20:13	it's using sh one and the salt is what we have derived from this so that salt in bytes when we convert that to hex we can then easily use it in our pbk DDF function we now have this output which seems to be this large heximal value and this is what we're going to need to use in our AES decryption so let's jump over to how we can then take this and use it to decrypt these strings what we want to do is actually have it as the key we derived it this is the key that we need so let's use that as the key in the AES
00:20:48	decryption function there is also a initialization Vector now the initialization Vector is going to be determined based on what you give it and I'll show you how we find that out if we look at the malware and we head on over to this decryption function there is a mention here of a bite array that has 16 bytes in it now this B array is being used for the initialization Vector we can see that here in the AES crypto I now those 16 bytes they're being read from the memory stream now the memory stream is what is being used to read in
00:21:23	what we passed to this and remember that this is all being passed the string to decrypt so what this means is the initialization Vector is actually the first 16 bytes of our encrypted string so let's put this into practice what I'm going to do is I'm going to take a string here we've got this from base 64 but what I want to do is take those 16 bys so I'm going to run take BS from 0 to 16 now I also want this to be in hexadecimal and I'm going to remove the space so now we actually have something
00:21:55	where we've taken the first 16 bytes we've made it hexes and we've got an initialization Vector let's disable these operations now and go back to the AES decrypt if we put this in as IV you immediately begin to see something interesting the last value that shows up is false so this looks like it's configuration details of some kind for the malware what's even more interesting is that the IV value doesn't even really matter as long as we've got 16 bytes in here so even as hex it still has the same output the byes preceding it are
00:22:28	jumbled because cuz I may have implemented this routine wrong but the main thing that matters here is the false so the configuration of this string is going to be false and wherever it's used is going to be defined as false I'm going to go back so let's take all of these strings I particularly want to know what this one is because it's quite large and this one there's quite a lot so let's take them all besides what we know is going to be used which is this N3 one so let's take all of this I'm going to throw this in the input I'm
00:22:55	going to get rid of the string which is the master key I'm going to get rid of some ones that are not related like app data what I want to do is extract this now with Rex we're going to use the same alphabet as defined in Rex we're going to say 30 or larger this should pick up on every piece of a 64 encoded string here and it does let's list the matches so now it looks like we've got a whole list which is nice and one of the things that I want to do is now take this from Bay 64 but to do this properly we're
00:23:28	going to have to use a Fork operation we're going to split based on a new line and then we're going to merge back at the end seems fine to me now I can do from Bay 64 and everything should have the B 64 operations occur and then I can also continue with the AES decryption and now we see things that look like configuration details it may be that I need to actually drop some of the first lots of btes but let's go ahead and do that let's just drop and I believe maybe it's the first 16 could be the first 32
00:23:58	64 let's just drop 32 for this point in time it does look like perhaps this is communicating back on Port 6666 there is the K helper so it does look like it says edit three Lush rat now three Lush is a known crypter so it's possible that that's been used on this rat we can also see a mutex which is async mutex and this is tied to async rat so some of these strings don't seem to make a lot of sense for example we've got a few here these other ones look like they might be once again Bas 64 encoded
00:24:30	strings though so let's see if we can decode them I'm going to take this one I'm going to throw it over here going to say from base 64 and you can actually see that this now says async rat server now this is a certificate file that's been detected here so we have a good idea that this is a embedded certificate inside of the binary and this is tied to Asing Grant which is commodity freely available rat we can also see false null null and a bat mentioned here so it looks like we have now determined what
00:25:01	this malware is it's likely asyn rat we can go and do some analysis on what asyn crat is the code is freely available so all in all we know that this was a bit of a convuluted chain that pulled payloads from a compromised WordPress website which was then going to invoke in memory a loader that then was going to be loading a syn rat into the aspnet compiler process but that's all that's what I wanted to show you today let me know your thoughts feelings comments anything else in the comment section below and I will catch
00:25:37	you next time