We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
RemoteAccess:MSIL/AsyncRAT.M!MTB
Aliases: No associated aliases
Summary
RemoteAccess:MSIL/AsyncRAT.M!MTB refers to a specific and prevalent variant of the AsyncRAT family, a sophisticated remote access trojan (RAT) known for providing threat actors with comprehensive control over a compromised device. The "MSIL" in its name is a critical identifier, signifying that the malware core is written in C# and compiled into Microsoft Intermediate Language. This means the threat is not a native binary but is instead built to run within the .NET Framework common language runtime on Windows devices. This MSIL-based construction influences its behavior, detection methods, and the forensic artifacts it leaves behind, making its .NET dependency a central characteristic for analysis.
AsyncRAT originated as an open-source remote administration project publicly available on GitHub. However, its powerful feature set has led to widespread adoption by threat actors for malicious purposes. They customize the publicly available code to create unique variants, which are then deployed in coordinated campaigns. The primary method of infection is through sophisticated phishing attacks, where users receive legitimate-looking emails containing malicious attachments. These attachments are compressed archive files, such as ZIP or ISO formats, which conceal the final MSIL payload. When a user extracts and launches the contents, the infection chain begins, deploying the RAT to establish a covert connection with a threat actor-controlled server.
The “!MTB” suffix refers to Machine Threat Behavior, which indicates that this trojan was detected using behavioral analysis or machine learning models. Instead of relying on a static signature (like a known file hash), the antivirus engine identified the program's actions, sequence of operations, or code patterns as malicious. These patterns are consistent with the known behavior of the AsyncRat family.
- Disconnect the infected device from all networks (both wired and wireless) to sever the command-and-control connection.
- Navigate to key directories such as %TEMP%, %AppData%, and C:\Users\Publicand permanently delete any unidentified executable files, scripts, or payloads associated with the incident.
- Open Task Scheduler and review the task library; remove any suspicious tasks that were created around the time of the infection.
- Inspect the Windows Registry and delete any malicious persistence entries created by the malware, particularly in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
