We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:MSIL/AsyncRAT.ZB!MTB
Aliases: No associated aliases
Summary
Backdoor:MSIL/AsyncRAT.ZB!MTB (Asynchronous Remote Access Trojan) is a sophisticated and persistent backdoor threat compiled as Microsoft Intermediate Language (MSIL) code to target Windows devices with the .NET framework. This MSIL-based construction gives this AsyncRAT variant compatibility across Windows versions and lets it use the .NET libraries for harmful activities such as screen capture and process injection. It started as a public, open-source remote administration tool, which led to many obfuscated variants. This variant changes over time to avoid static detection signatures, which presents a major detection challenge. The central goal of AsyncRAT is to create a hidden and lasting channel for remote control. It does this by embedding itself in Windows processes and keeping communication open with servers operated by threat actors.
The infection process often starts with phishing campaigns or software bundles, where the harmful payload pretends to be a legitimate file. After launching, it uses methods to ensure it remains on the device, such as setting up scheduled tasks or adding registry run keys. It employs process hollowing to insert its code into trusted Windows processes. This lets AsyncRAT perform a broad set of malicious actions without raising alarms. Its capabilities are comprehensive, allowing threat actors to record keystrokes, steal credentials and files from browsers and cryptocurrency wallets, capture audio and video, and turn the infected device into a proxy for more attacks.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the AsyncRAT family.
- Disconnect the infected device from all networks (both wired and wireless) to sever the command-and-control connection.
- Check the Windows Task Scheduler or Process Explorer for malicious suspicious processes related to cmd.exe, powershell.exe, or any unknown binaries. to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Carefully delete any entries pointing to malicious files.
- Open Windows Task Scheduler and delete any malicious tasks you've identified.
- On a clean device, change all passwords that were used or stored on the infected device.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
