Free Phone Consultation For New Clients | CONTACT NOW

Analyzing AsyncRAT Distributed in Colombia

A sample of AsyncRAT, a piece of malware used by the APT-C-36 cybercriminal group, has been analysed by Jose Luis Sánchez Martínez.

Analysis Highlights

-The malware is a Dynamic Link Library (DLL) that provides remote access to the victim's system.

-It has been detected in Colombia, among other regions.

-It is mainly used to steal sensitive data and can be activated by being remotely triggered by SMS.

What is AsyncRAT?

AsyncRAT is an advanced RAT with capabilities for backdooring and stealing data from a compromised system, as well as keylogging and taking screenshots at any time. This malware has been seen in use by the APT-C-36 cybercriminal group, who are believed to be based in Colombia.

According to the researcher, it takes advantage of functions already present in Windows, including LoadLibrary and GetProcAddress.

It also includes a keylogger, which records all user's keystrokes and sends them over HTTP in clear text format. The data is encrypted when being transferred.

The malware also has a module for taking screenshots at any time, which integrates a screenshot function using ShellExecuteExW(). This function allows the attacker to take screenshots of windows other than those useful for their operation.

It is possible to launch anti-debugging (A/D) code in order to prevent the detection of the malware by security software, and also includes a module for remote access. It also has a 'low-level shell' which allows an attacker to access remote systems.

It has not been observed in use in malware campaigns before. It is not yet clear how widely it is used, but it is known that the APT-C-36 group tend to steal financial data as well as other personal information from Colombia.

Analyzing AsyncRAT distributed in Colombia - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?