Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS

All code discussed in this blog can be pulled from https://github.com/corelight/zeek-asyncrat-detector

Malware often hides communications with its command and control (C2) server over HTTPS. The encryption in HTTPS usually conceals the compromise long enough for the malware to accomplish its goal. This makes detecting malware that uses HTTPS challenging, but once in a while, you will catch a break, as in the case here with AsyncRAT, a Windows remote access tool that has been deployed over the past year to target organizations that manage critical infrastructure in the United States.¹

Background

Any.run is a malware sandbox with PCAPs freely available to the public. Any.run also hosts a Malware Trends list of malware families, sorted by the number of samples submitted to their sandbox: https://any.run/malware-trends/

In late February 2024, Corelight Labs saw AsyncRAT trending at #4. We started analyzing the PCAPs of several AsyncRAT samples pulled from: https://app.any.run/submissions/

This is the PCAP used in the samples we examined below.
https://app.any.run/tasks/cd010953-5faf-4054-86be-58c020c3a532/

• https://app.any.run/tasks/5aaf01c1-5ac9-4962-94a7-bea2d886df78/
• https://app.any.run/tasks/30a385ed-171e-4f15-ac3f-08c96be7bfd1/
• https://app.any.run/tasks/dca4bf0b-580f-4b4f-8308-359448e5fbb6/

This is the source code we discuss below:
https://github.com/qwqdanchun/DcRat/blob/30ca53b068b4ab7a2542835f7456abd26e1a0ed4/Server/Helper/CreateCertificate.cs#L32

Using the x509.log, which captures detailed information about certificates on the network, we noticed the malware’s C2 server often uses a default SSL certificate, literally identifying itself as an AsyncRAT malware C2 server:

 % zeek -Cr ../cd010953-5faf-4054-86be-58c020c3a532.pcap
  
  % cat x509.log
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	x509
  #open	2024-02-28-09-28-58
  #fields	ts	fingerprint	certificate.version	
  certificate.serial	certificate.subject	certificate.issuer	
  certificate.not_valid_before	certificate.not_valid_after	
  certificate.key_alg	certificate.sig_alg	certificate.key_type	
  certificate.key_length	certificate.exponent	certificate.curve	
  san.dns	san.uri	san.email	san.ip	basic_constraints.ca	
  basic_constraints.path_len	host_cert	client_cert
  #types	time	string	count	string	string	string	time	
  time	string	string	string	count	string	string	
  vector[string]	vector[string]	vector[string]	vector[addr]	bool	
  count	bool	bool
  1709051041.209262	
  ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb	3	
  AF33699C1167E7D458970B1C601367 CN=AsyncRAT Server >CN=AsyncRAT Server 1589323520.000000	
  2.53402318799e+11	rsaEncryption	
  sha512WithRSAEncryption	rsa	4096	
  65537	-	-	-	-	-	T	-	T	F
  #close	2024-02-28-09-28-58

By analyzing several samples on Any.run and the source code linked above, we found the following four strings associated with the default SSL certificates for AsyncRAT’s C2 server:

• “AsyncRAT Server”
• https://app.any.run/tasks/cd010953-5faf-4054-86be-58c020c3a532/
• “DcRat Server”
• https://app.any.run/tasks/30a385ed-171e-4f15-ac3f-08c96be7bfd1/
• “DcRat By”
• https://github.com/qwqdanchun/DcRat/blob/30ca53b068b4ab7a2542835f7456abd26e1a0ed4/Server/Helper/CreateCertificate.cs#L32
• “SXN Server”
• https://app.any.run/tasks/9596cf60-0da6-47a7-a375-1f25ae32d843/

Armed with this information, we can detect AsyncRAT infections where the C2 server used a default SSL certificate despite the rest of the C2 data encrypted over HTTPS.

Historical Plain-Text Log Searches

If you are a Zeek user, the fastest way to see if you have been a victim of AsyncRAT is to search your historical Zeek logs for the strings listed above. If you have plain Zeek TSV formatted logs in the directory /data/logs, you could run the following command to see potential matches:

find /data/logs/ -name "x509*.gz" -exec zcat {} \; | 
  zeek-cut -d | egrep -i "(((async|dc)rat|SXN) Server)|(DcRat By)" | 
  tee ~/asyncrat-x509.log

Once you find a match in the x509 logs, you can match the x509 certificate fingerprint to the fingerprints listed in the SSL logs to find the connection specifics. In the example PCAP above, we saw the fingerprint is
ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb
so we can search for this in the ssl.log like so:

 % grep ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb ssl.log

  1709051041.039950	CQQNTZ3oMRL59MNff8	192.168.100.124	49207	181.131.218.39	
  4041	TLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp384r1	-	F	-	-	T	
  CsxknGIi	ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb	
  (empty)	- 

The log above tells us that the connection was 192.168.100.124:49207 ⟹ 181.131.218.39:4041

If you store your logs in a SIEM, we have a solution for that too, which we highlight in the next section. Not sure what Zeek is? Visit our website for more information about Zeek metadata and how its components help support Corelight’s network evidence.

SIEM Searches

If you have your logs in a SIEM like Crowdstrike’s LogScale, you can perform the same historical log search with this query:

#path=x509 and (
  certificate.issuer = /(((async|dc)rat|SXN) Server)|(DcRat By)/i or
  certificate.subject = /(((async|dc)rat|SXN) Server)|(DcRat By)/i
  )

The following screenshot shows the Zeek logs identified by this SIEM query:

Next, let’s develop a way for Zeek to notify us in real-time or on a PCAP.

Zeek Code

We can detect AsyncRAT in real time on our network using code like this:

The code handles the ssl_established event. You can find the regular expression used to match the SSL certificate issuer or subject in line 9:

# Where the magic happens.
global asyncrat_re = /(((async|dc)rat|SXN) Server)|(DcRat By)/i;

If this regular expression is found in the SSL certificate issuer (line 20) or the subject (line 26), Zeek will generate the appropriate notice on line 34. Putting this all together and running on our example PCAP generates the following notice.log:

% zeek -Cr ../cd010953-5faf-4054-86be-58c020c3a532.pcap asyncrat-detector

% cat notice.log

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2024-02-28-11-29-50
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1709051041.876652	CARpScJK4jju1Cnb2	192.168.100.124	49207	181.131.218.39	4041	-	-	-	tcp	AsyncRAT::C2_Traffic_Observed	Potential AsyncRAT C2 discovered via a default SSL certificate.	Cert Fingerprints: [ce772ec37d88351f43e6350c6c2b9777c9a7855f2a55184fba784e5e7df9e3eb] Issuer: CN=AsyncRAT Server	192.168.100.124	181.131.218.39	4041	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2024-02-28-11-29-50

You can see that the magic regular expression was discovered in the SSL certificate’s issuer for this PCAP.

Suricata Rules

You can detect this malware family using Suricata signatures, too! Here are two signatures we created using similar logic to the Zeek code above:

 ## AsyncRAT
  #
  alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT AsyncRAT 
  Style TLS Certificate"; flow:established,to_client; tls.cert_issuer; 
  content:"RAT Server"; nocase; endswith; tls.cert_subject; content:"Rat"; 
  nocase; reference:url,any.run/malware-trends/asyncrat; 
  classtype:trojan-activity; sid:3000065; rev:1;)
  
  # to catch variants like:
  #   "subject": "CN=VenomRAT",
  #   "issuerdn": "CN=MONEY, OU=qwqdanchun, O=VenomRAT By qwqdanchun, 
  L=SH, C=CN",
  alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT AsyncRAT 
  Variant Style TLS Certificate"; flow:established,to_client; 
  tls.cert_issuer; content:"By|20|qwqdanchun"; 
  reference:url,any.run/malware-trends/asyncrat; reference:url,github.com/qwqdanchun/DcRat/blob/30ca53b068b4ab7a2542835f7456abd26e1a0ed4/Server/Helper/CreateCertificate.cs#L32; 
  classtype:trojan-activity; sid:3000066; rev:1;) 

This rule detects the string “By qwqdanchun” observed in sample traffic and RAT source code.

 # QuasarRat
  # CN=SXN Server CA
  alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"CORELIGHT QuasarRAT 
  TLS Certificate"; flow:established,to_client; tls.cert_issuer; 
  content:"CN=SXN|20|Server|20|CA"; bsize:16; tls.cert_subject; 
  content:"CN=SXN|20|Server|20|CA"; bsize:16; 
  reference:url,app.any.run/tasks/9596cf60-0da6-47a7-a375-1f25ae32d843/; 
  classtype:trojan-activity; sid:3000067; rev:1;)

As above, we are using certificate artifacts observed in samples to alert on C2 traffic. This particular sample was identified by Any.run as QuasarRAT.

Conclusion

The example of AsyncRAT shows that all is not lost when malware uses HTTPS to communicate with its C2 server. In some cases, as we saw here, a default SSL certificate is used, and this server literally announces itself as a component of the AsyncRAT malware framework. Be sure to head to https://github.com/corelight/zeek-asyncrat-detector to get the detection code we released with this blog!

We also recommend checking out Corelight’s C2 Collection, which covers known C2 toolkits and MITRE ATT&CK® C2 techniques and is based on Zeek metadata, for more than 50 unique insights and detections that illuminate command and control activity and help defenders find novel attacks.