AsyncRAT

Malware Profile Updated 5 days ago
Download STIX
Preview STIX
AsyncRAT is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Once the executable loads http_dll.dll, the DLL unpacks in memory and loads the AsyncRAT malware. This malware has been identified as a significant threat, with infections detected by Cortex XDR Analysis. A phishing campaign primarily targeting victims in Colombia and Argentina was discovered, aiming to deliver AsyncRAT. The JavaScript downloader malware SocGholish, also known as FakeUpdates, is being utilized to deliver AsyncRAT and the legitimate open-source project Berkeley Open Infrastructure Network Computing Client (BOINC). The malware has been observed in conjunction with other offensive security tools such as Cobalt Strike, Viper, and Meterpreter, as well as remote access tools (RATs) like QuasarRAT, PlugX, ShadowPad, and DarkComet. Threat actors have also been found hiding AsyncRAT inside HTML files posing as delivery invoices, which unleash a chain of events deploying the malware once opened in a web browser. Recent reports suggest that there has been a surge in cyberattacks conducted by AsyncRAT, especially in the context of tax-themed threats. These attacks exploit WinRAR vulnerabilities and have led to unauthorized access to victims' computers. Notably, AsyncRAT has also infiltrated key US infrastructure through GIFs and SVGs. The rise of this malware underscores the need for robust cybersecurity measures and continuous vigilance against potential threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Dcrat
1
DcRAT is a malicious software that has been used in various cyberattacks throughout 2023 and into 2024. The malware, distributed through fake OnlyFans content, deceptive Google Meet sites, and spoofed Skype and Zoom websites, downloads a DcRAT payload when users click on certain elements. This Remot
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Remcos
Payload
Loader
Trojan
Rat
Phishing
Crypter
Github
Source
Windows
Antivirus
Exploit
Downloader
Ransomware
Fraud
JavaScript
PowerShell
Evasive
Malvertising
Ransom
Botnet
Domains
Decoy
Exploits
Fortiguard
Chrome
Sandbox
Html
WinRAR
Avast
Hp
Gbhackers
Screenconnect
Operation Sp...
Ddos
Implant
Spam
Backdoor
Apt
Vulnerability
Rmm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
njRATUnspecified
3
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
TargetcompanyUnspecified
2
TargetCompany, a well-known malware group, has developed a new Linux variant of its ransomware that specifically targets VMware ESXi environments. This discovery was made by researchers at Trend Micro who track the group under the name Mallox. The novel variant is designed to detect whether a target
LockbitUnspecified
2
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
AgentteslaUnspecified
2
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
XwormUnspecified
2
XWorm is a multi-functional malware that provides threat actors with remote access capabilities, has the potential to spread across networks, exfiltrate sensitive data, and download additional payloads. It was observed exploiting ScreenConnect vulnerabilities, a client software used for remote syste
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
DarkCometUnspecified
2
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
FakeupdatesUnspecified
2
FakeUpdates, also known as SocGholish, is a JavaScript-based loader malware that primarily targets Microsoft Windows-based environments. The malware has been in operation for over five years and uses compromised websites to trick users into running a fake browser update. In addition to its deceptive
SocgholishUnspecified
2
SocGholish is a malicious software (malware) known for its ability to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, in 2023, several distinct website malware campaigns were identified to serve SocGholish malw
RaccoonUnspecified
1
Raccoon is a highly potent and cost-effective Malware-as-a-Service (MaaS) primarily sold on dark web forums, used extensively by Scattered Spider threat actors to pilfer sensitive data. As per the "eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2.0" report published on August 31, 20
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
NanoCoreUnspecified
1
NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
DarkgateUnspecified
1
DarkGate is a malicious software (malware) that poses significant threats to computer systems and data. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hos
VenomratUnspecified
1
VenomRAT is a malicious software (malware) that poses significant threats to computer systems and devices. It can infiltrate systems through dubious downloads, emails, or websites, often without the user's knowledge. Once installed, VenomRAT can steal personal information, disrupt operations, or eve
payload.exeUnspecified
1
Payload.exe is a malicious software, or malware, that exploits and potentially damages your computer system. It is created from payload.c to generate a 64-bit executable file, which is then processed by exe2h to extract the shellcode from the .text segment of the PE file, saving it as a C array to p
Agent TeslaUnspecified
1
Agent Tesla is a malicious software (malware) that exploits and damages computer systems, often infiltrating the system through suspicious downloads, emails, or websites. This malware can steal personal information, disrupt operations, and potentially hold data for ransom. Agent Tesla has been obser
Lockbit BlackUnspecified
1
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022, following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. This malicious software, designed to exploit and damage computer systems, encrypts files and often holds them hostage for ransom. The
ScrubcryptUnspecified
1
ScrubCrypt is a sophisticated malware that has been identified as a significant threat in the cybersecurity landscape. It operates as part of an intricate system of harmful software, including VenomRAT and various malicious plugins, designed to exploit and damage computer systems. The malware infilt
Dark Crystal RatUnspecified
1
None
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Netsupport RatUnspecified
1
NetSupport RAT is a type of malware that can significantly compromise an organization's digital security. Originally derived from the legitimate NetSupport Manager, a remote technical support tool, this malware infects systems through suspicious downloads, emails, or websites, often unbeknownst to t
HotratUnspecified
1
HotRat is a potent malware that has been identified by Avast researchers as a .NET reimplementation of AsyncRat. This new strain of Remote Access Trojan (RAT) comes with nearly 20 commands, each capable of executing a .NET module retrieved from a remote server. This allows the threat actors to exten
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
Revenge RATUnspecified
1
Revenge RAT is a malicious software that uses advanced delivery techniques and support infrastructure to exploit and damage computer systems. It utilizes an Office macro within a Microsoft Office Excel Worksheet to infect its targets. The malware is not dropped onto the disk but is loaded directly i
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
Redline StealerUnspecified
1
RedLine Stealer is a type of malware that has been causing significant disruption in the digital landscape. This malicious software infiltrates computer systems, often without the user's knowledge, via suspicious downloads, emails, or websites, and then proceeds to steal personal information, disrup
SmokeloaderUnspecified
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
RedlineUnspecified
1
RedLine is a malware designed to exploit and damage computer systems by stealing personal information, disrupting operations, or even holding data hostage for ransom. It has been identified as a favorite infostealer among threat actors selling logs through the marketplace 2easy, which also sells Rac
LokibotUnspecified
1
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Avemaria/warzoneratUnspecified
1
None
FormbookUnspecified
1
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA2541Unspecified
1
TA2541, a cybercriminal threat actor identified by Proofpoint, has been actively executing malicious actions since January 2017. This group demonstrates persistent and ongoing threat activity, targeting sectors related to aviation, transportation, and travel. Unlike many similar entities, TA2541 doe
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Asyncrat RemcosUnspecified
1
None
CVE-2024-1709Unspecified
1
CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response
Source Document References
Information about the AsyncRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
5 days ago
SocGholish malware used to spread AsyncRAT malware
Recorded Future
18 days ago
2023 Adversary Infrastructure Report | Recorded Future
Checkpoint
2 months ago
Inside the Box: Malware’s New Playground - Check Point Research
DARKReading
2 months ago
HP Catches Cybercriminals 'Cat-Phishing' Users
Pulsedive
4 months ago
Pulsedive Blog | CyberChef 101 Tool Guide
Malware-traffic-analysis.net
4 months ago
Malware-Traffic-Analysis.net - 2024-03-14: AsyncRAT and XWorm infection
CERT-EU
4 months ago
New Vcurms Malware Targets Popular Browsers for Data Theft
CERT-EU
5 months ago
Tax Season Phishing Surge: Cyber Exploits with AsyncRAT
BankInfoSecurity
6 months ago
Breach Roundup: FTC Bans Data Broker From Sharing Locations
InfoSecurity-magazine
7 months ago
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over
Recorded Future
7 months ago
2023 Adversary Infrastructure Report | Recorded Future
CERT-EU
7 months ago
Beware! YouTube Videos Promoting Cracked Software Distribute Lumma Stealer
CERT-EU
7 months ago
US critical infrastructure, others subjected to prolonged AsyncRAT malware attacks
CERT-EU
7 months ago
AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
Checkpoint
7 months ago
18th December – Threat Intelligence Report - Check Point Research
Malwarebytes
5 months ago
Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR | Malwarebytes
CERT-EU
5 months ago
Unmasking 2024's Email Security Landscape
CERT-EU
5 months ago
New Vulnerabilities in ConnectWise ScreenConnect Massively Exploited by Attackers
CERT-EU
5 months ago
Hackers Exploit ConnectWise Bugs to Deploy LockBit Ransomware
CERT-EU
5 months ago
ConnectWise ScreenConnect attacks deliver malware – Sophos News | #ransomware | #cybercrime | National Cyber Security Consulting