Trojan:MSIL/Asyncrat.AMMC!MTB operates as a remote access trojan compiled to Microsoft Intermediate Language (MSIL), allowing threat actors to gain extensive control over compromised devices via the .NET runtime environment. Originating from an open-source C# project released on GitHub in 2019 by the developer known as NYAN CAT, this MSIL variant was initially presented as a tool for legitimate remote management but has been adapted for malicious purposes.
The infection stems from phishing operations involving spam emails with attachments such as ZIP, RAR, DOC, or ISO files, or links to cloud storage services like Google Drive or OneDrive, which trigger scripts, often embedded in HTML smuggling techniques to retrieve PowerShell code for deploying the payload into directories like %ProgramData%\xral or C:\Users\Public. In stealthier, fileless implementations, reflective loading injects the MSIL code into memory using benign .NET processes such as RegSvcs.exe, reducing detectable artifacts on disk.,
Persistence mechanisms adapt based on the malware's privilege level: in non-elevated contexts, it adds entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key and copies itself to temporary folders; with administrator rights, it creates scheduled tasks under innocuous names like "Skype Updater" or "Reklam," set to launch on logon via schtasks /create commands.
Anti-analysis features include calls to CheckRemoteDebuggerPresent for detecting debugging sessions, Windows Management Instrumentation (WMI) queries to identify virtualization indicators, enumeration of antivirus products, and modifications to security components such as the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW). Obfuscation techniques encompass junk code insertion, polymorphic naming conventions, hexadecimal or base64 encoding, dynamic API resolution, proxy methods, and control flow alterations.
Command-and-control (C2) communications occur over TCP sockets on customizable ports including 222, 4782, 6606, 7707, 7840-7842, 8808, and 8041, utilizing MessagePack serialization with length prefixes for efficient packet handling. Initial beacons transmit reconnaissance details such as hardware identifiers, usernames, Windows versions, and security software statuses. Configurations are protected by AES-256 encryption with PBKDF2 key derivation, while mutexes like AsyncMutex_6SI8OkPnk prevent multiple instances from running simultaneously. Known C2 elements include IP addresses such as 45[.]141.215[.]40[:]4782, 45[.]12.253[.]107[:]8808, 64[.]188.16[.]134, 13[.]78.209[.]105, 52[.]27.15[.]250, 185[.]49.126[.]50, 195[.]26.255[.]81, and 191[.]96.207[.]246; domains like 3osch20[.]duckdns[.]org, asyncmoney[.]duckdns[.]org (ports 7829, 7840-7842), yuri101.duckdns.org, httpswin10[.]kozow[.]com, and kashuub[.]com; URLs such as hxxp://45[.]12.253[.]107[:]222/f.txt and hxxp://45[.]12.253[.]107[:]222/j.jpg; and self-signed certificates often with the common name "AsyncRAT Server."
File hashes for indicators include SHA-256 examples like 83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3 for HTML files, 97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62 for ISO images, ac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a for WSF scripts, and 0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531 for PS1 scripts.
Core capabilities allowscomprehensive surveillance and system manipulation, with keylogging implemented through SetWindowsHookEx to capture and store inputs in temporary files, theft of credentials, browser data, clipboard contents, and cryptocurrency wallets, remote desktop recording, audio and video capture, file operations, process monitoring, webcam activation, Windows Defender deactivation, denial-of-service attacks, and privilege escalation that can induce instability.
Infection patterns consistently feature scripts depositing files in %ProgramData%\xral under names like xral[.]ps1, hrlm[.]ps1, 1[.]bat, FXM_20231606_9854298542_098[.]wsf, and log[.]tmp in %temp%, with processes such as winsecurity.exe, sysnetwk.exe, or syshostctl.exe appearing in unusual paths like C:\ProgramData\Windows Security\ or C:\ProgramData\Microsoft\Network\Dsq. Obfuscation includes filler code, dynamic labeling, and encodings to complicate analysis. Detection strategies focus on behavioral signals, including atypical registry modifications, injections into .NET utilities, and outbound links to servers with self-signed certificates. The malware aligns with multiple MITRE ATT&CK framework tactics (version 17), such as T1059 for command and scripting interpreter usage, T1562.001 for disabling or modifying tools (e.g., terminating security processes), T1562.004 for impairing system firewalls via AMSI/ETW bypasses, T1027.013 for obfuscated files through encrypted or encoded content, T1539 for stealing web session cookies, T1555.003 for credentials from web browsers, T1110.003 for brute force password spraying, T1614.001 for system location discovery, T1123 for audio capture, T1125 for video capture, T1115 for clipboard data, and T1486 for data encrypted for impact.
