AsyncRAT New Forks Uncovered With New Features Ranging From Screamer to a USB Malware Spreader

A comprehensive analysis of AsyncRAT’s expanding ecosystem, revealing a labyrinthine network of malware variants that have evolved far beyond the original remote access trojan’s capabilities. 

The open-source nature of AsyncRAT, first released on GitHub in 2019, has spawned numerous sophisticated forks that incorporate enhanced evasion techniques, novel plugins, and specialized attack vectors that pose significant threats to cybersecurity worldwide.

Key Takeaways
1. AsyncRAT's open-source nature spawned numerous forks, with DcRat and VenomRAT dominating malware campaigns through enhanced modularity and stealth capabilities.
2. Leading variants use AMSI/ETW patching, MessagePack serialization, and antiprocess systems to evade detection and terminate security tools like Taskmgr.exe.
3. Exotic plugins include Screamer.dll (jump scares), WormUsb.dll (USB malware spreading), and cliper.dll (cryptocurrency wallet hijacking).
4. Open-source accessibility lowers cybercrime barriers, requiring proactive behavioral analysis to counter rapidly evolving threat variants.

Advanced Threats of DcRat and VenomRAT

ESET researchers identified DcRat and VenomRAT as the most prevalent AsyncRAT derivatives, collectively accounting for the majority of malware campaigns observed in the wild. 

DcRat represents a significant evolution from the original AsyncRAT framework, implementing advanced evasion techniques, including AMSI and ETW patching, which work by disabling security features that detect and log malicious behavior. 

The variant utilizes MessagePack for efficient binary data serialization and features an antiprocess system that terminates security tools like Taskmgr.exe, ProcessHacker.exe, and MsMpEng.exe.

VenomRAT, likely inspired by DcRat, has been packed with extensive features that researchers consider almost a separate threat entirely. 

The malware variants can be identified through configuration analysis, where the Version field typically contains meaningful descriptions of the fork’s name or malware author’s pseudonym. 

Alternative identification methods include examining Salt values used for AES-256 encryption and analyzing embedded certificates that authenticate command-and-control servers.

Specialized Plugins With Novel Attack Capabilities

Lesser-known forks like NonEuclid RAT have introduced specialized plugins that extend AsyncRAT’s functionality beyond conventional remote access capabilities. 

The Screamer.dll plugin serves as a jump scare tool with five built-in images and WAV file support, while Piano.dll functions as a generic audio player storing files in %appdata%Piano. 

More concerning is the WormUsb.dll plugin, which compromises PE files with arbitrary payloads across multiple locations including personal folders and external drives.

The cliper.dll plugin represents a sophisticated cryptocurrency theft mechanism that monitors clipboard content and replaces detected wallet addresses with attacker-controlled alternatives. 

JasonRAT employs obscure variable-naming conventions reminiscent of “satanic” terms and utilizes extended Morse code for string obfuscation, while XieBroRAT features Chinese localization and integrates tools like mimikatz and SharpWifiGrabber.

The spread of AsyncRAT forks highlights the inherent risks of open-source malware frameworks, which significantly lower the barrier to entry for aspiring cybercriminals. 

The expanding threat landscape demands proactive detection strategies and deeper behavioral analysis to effectively address emerging variants that may incorporate more advanced obfuscation, modularity, and evasion capabilities.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now