Trojan:VBS/AsyncRAT

The initial launch of Trojan:VBS/AsyncRAT often involves a Windows Script File (.WSF) or a VBS file, which initiates a sequence of events. For instance, one documented attack used a script that was retrieved from a secondary archive, such as a ZIP file, from a remote server. This archive contained additional components that were extracted from public user directories, including C:\Users\Public\ or C:\ProgramData\. The scripts involved, with names like Webcentral.vbs or system32.bat, work in concert to decode and assemble the final payload. In some variants, the final AsyncRAT payload is retrieved as an encoded file with a non-standard extension, like logs.ldk, and is reflectively loaded to avoid writing a binary file to the disk. 

To maintain persistence on the host, the AsyncRAT employs multiple techniques. If it achieves administrative privileges, it creates a scheduled task using the Windows schtasks.exe utility. These tasks are often given deceptive names such as "Reklam" or "Skype Updater" to blend in with legitimate Windows activities. Without elevated privileges, it resorts to modifying the Windows Registry, creating a new entry within HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. An alternative method involves copying a script like Startup.vbs directly into the user's Startup folder to achieve logon runtime. 

A critical step in the operational phase is the injection of the AsyncRAT payload into the memory space of a trusted system process. This technique, known as the process hollowing, is used to conceal malicious activity within a legitimate binary. Common targets for this injection include aspnet_compiler.exe and RegSvcs.exe, which are both part of the Microsoft .NET Framework. AsyncRAT employs several evasion tactics, including patching the Antimalware Scan Interface (AMSI) and disabling Event Tracing for Windows (ETW) to hinder detection and logging. It may also perform system checks for virtualized environments by querying hardware attributes through Windows Management Instrumentation (WMI). 

Following successful injection, the compromised process establishes a connection to a remote command and control server. This communication is encrypted using AES algorithms. Observed C2 infrastructure includes IP addresses such as 45[.]141.215[.]40 communicating over port 4782, and domains like 3osch20[.]duckdns.org and kozow[.]com. The trojan also contact legitimate web services like ip-api[.]com to determine the geographic location of the compromised host.