Read the Gartner® Competitive Landscape: Network Detection and Response Report
Read the Gartner® Competitive Landscape: Network Detection and Response Report
START HERE
WHY CORELIGHT
SOLUTIONS
CORELIGHT LABS
Close your ransomware case with Open NDR
SERVICES
ALLIANCES
USE CASES
Find hidden attackers with Open NDR
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
March 20, 2024 by Corelight Labs Team
All code discussed in this blog can be pulled from https://github.com/corelight/zeek-asyncrat-detector
Malware often hides communications with its command and control (C2) server over HTTPS. The encryption in HTTPS usually conceals the compromise long enough for the malware to accomplish its goal. This makes detecting malware that uses HTTPS challenging, but once in a while, you will catch a break, as in the case here with AsyncRAT, a Windows remote access tool that has been deployed over the past year to target organizations that manage critical infrastructure in the United States.1
Any.run is a malware sandbox with PCAPs freely available to the public. Any.run also hosts a Malware Trends list of malware families, sorted by the number of samples submitted to their sandbox: https://any.run/malware-trends/
In late February 2024, Corelight Labs saw AsyncRAT trending at #4. We started analyzing the PCAPs of several AsyncRAT samples pulled from: https://app.any.run/submissions/
This is the PCAP used in the samples we examined below.
https://app.any.run/tasks/cd010953-5faf-4054-86be-58c020c3a532/
This is the source code we discuss below:
https://github.com/qwqdanchun/DcRat/blob/30ca53b068b4ab7a2542835f7456abd26e1a0ed4/Server/Helper/CreateCertificate.cs#L32
Using the x509.log, which captures detailed information about certificates on the network, we noticed the malware’s C2 server often uses a default SSL certificate, literally identifying itself as an AsyncRAT malware C2 server:
% zeek -Cr ../cd010953-5faf-4054-86be-58c020c3a532.pcap
% cat x509.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path x509
#open 2024-02-28-09-28-58
#fields ts fingerprint certificate.version
certificate.serial certificate.subject certificate.issuer
certificate.not_valid_before certificate.not_valid_after
certificate.key_alg certificate.sig_alg certificate.key_type
certificate.key_length certificate.exponent certificate.curve
san.dns san.uri san.email san.ip basic_constraints.ca
basic_constraints.path_len host_cert client_cert
#types time string count string string string time
time string string string count string string
vector[string] vector[string] vector[string] vector[addr] bool
count bool bool
1709051041.209262
ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb 3
AF33699C1167E7D458970B1C601367 CN=AsyncRAT Server >CN=AsyncRAT Server 1589323520.000000
2.53402318799e+11 rsaEncryption
sha512WithRSAEncryption rsa 4096
65537 - - - - - T - T F
#close 2024-02-28-09-28-58
By analyzing several samples on Any.run and the source code linked above, we found the following four strings associated with the default SSL certificates for AsyncRAT’s C2 server:
Armed with this information, we can detect AsyncRAT infections where the C2 server used a default SSL certificate despite the rest of the C2 data encrypted over HTTPS.
If you are a Zeek user, the fastest way to see if you have been a victim of AsyncRAT is to search your historical Zeek logs for the strings listed above. If you have plain Zeek TSV formatted logs in the directory /data/logs, you could run the following command to see potential matches:
find /data/logs/ -name "x509*.gz" -exec zcat {} \; |
zeek-cut -d | egrep -i "(((async|dc)rat|SXN) Server)|(DcRat By)" |
tee ~/asyncrat-x509.log
Once you find a match in the x509 logs, you can match the x509 certificate fingerprint to the fingerprints listed in the SSL logs to find the connection specifics. In the example PCAP above, we saw the fingerprint is ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb
so we can search for this in the ssl.log like so:
% grep ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb ssl.log
1709051041.039950 CQQNTZ3oMRL59MNff8 192.168.100.124 49207 181.131.218.39
4041 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - F - - T
CsxknGIi ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb
(empty) -
The log above tells us that the connection was 192.168.100.124:49207 ⟹ 181.131.218.39:4041
If you store your logs in a SIEM, we have a solution for that too, which we highlight in the next section. Not sure what Zeek is? Visit our website for more information about Zeek metadata and how its components help support Corelight’s network evidence.
If you have your logs in a SIEM like Crowdstrike’s LogScale, you can perform the same historical log search with this query:
#path=x509 and (
certificate.issuer = /(((async|dc)rat|SXN) Server)|(DcRat By)/i or
certificate.subject = /(((async|dc)rat|SXN) Server)|(DcRat By)/i
)
The following screenshot shows the Zeek logs identified by this SIEM query:
Next, let’s develop a way for Zeek to notify us in real-time or on a PCAP.
We can detect AsyncRAT in real time on our network using code like this:
The code handles the ssl_established
event. You can find the regular expression used to match the SSL certificate issuer or subject in line 9:
# Where the magic happens.global asyncrat_re = /(((async|dc)rat|SXN) Server)|(DcRat By)/i;
If this regular expression is found in the SSL certificate issuer (line 20) or the subject (line 26), Zeek will generate the appropriate notice on line 34. Putting this all together and running on our example PCAP generates the following notice.log:
% zeek -Cr ../cd010953-5faf-4054-86be-58c020c3a532.pcap asyncrat-detector
% cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2024-02-28-11-29-50
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1709051041.876652 CARpScJK4jju1Cnb2 192.168.100.124 49207 181.131.218.39 4041 - - - tcp AsyncRAT::C2_Traffic_Observed Potential AsyncRAT C2 discovered via a default SSL certificate. Cert Fingerprints: [ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb] Issuer: CN=AsyncRAT Server 192.168.100.124 181.131.218.39 4041 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2024-02-28-11-29-50
You can see that the magic regular expression was discovered in the SSL certificate’s issuer for this PCAP.
You can detect this malware family using Suricata signatures, too! Here are two signatures we created using similar logic to the Zeek code above:
## AsyncRAT
#
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT AsyncRAT
Style TLS Certificate"; flow:established,to_client; tls.cert_issuer;
content:"RAT Server"; nocase; endswith; tls.cert_subject; content:"Rat";
nocase; reference:url,any.run/malware-trends/asyncrat;
classtype:trojan-activity; sid:3000065; rev:1;)
# to catch variants like:
# "subject": "CN=VenomRAT",
# "issuerdn": "CN=MONEY, OU=qwqdanchun, O=VenomRAT By qwqdanchun,
L=SH, C=CN",
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT AsyncRAT
Variant Style TLS Certificate"; flow:established,to_client;
tls.cert_issuer; content:"By|20|qwqdanchun";
reference:url,any.run/malware-trends/asyncrat; reference:url,github.com/qwqdanchun/DcRat/blob/30ca53b068b4ab7a2542835f7456abd26e1a0ed4/Server/Helper/CreateCertificate.cs#L32;
classtype:trojan-activity; sid:3000066; rev:1;)
This rule detects the string “By qwqdanchun”
observed in sample traffic and RAT source code.
# QuasarRat
# CN=SXN Server CA
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT QuasarRAT
TLS Certificate"; flow:established,to_client; tls.cert_issuer;
content:"CN=SXN|20|Server|20|CA"; bsize:16; tls.cert_subject;
content:"CN=SXN|20|Server|20|CA"; bsize:16;
reference:url,app.any.run/tasks/9596cf60-0da6-47a7-a375-1f25ae32d843/;
classtype:trojan-activity; sid:3000067; rev:1;)
As above, we are using certificate artifacts observed in samples to alert on C2 traffic. This particular sample was identified by Any.run as QuasarRAT.
The example of AsyncRAT shows that all is not lost when malware uses HTTPS to communicate with its C2 server. In some cases, as we saw here, a default SSL certificate is used, and this server literally announces itself as a component of the AsyncRAT malware framework. Be sure to head to https://github.com/corelight/zeek-asyncrat-detector to get the detection code we released with this blog!
We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.
Tagged With: malware, malware detection, featured, asyncRAT