AsyncRAT seeds family of more than 30 remote access trojans

AsyncRAT, the most prevalent remote access trojan observed in the wild, has spawned more than 30 forks and variants that increase the impact of the open-source malware, making it a popular and sometimes disguised tool of choice for cybercriminals, ESET researchers said in a report released Tuesday. 

The open source remote access tool, which was first released on GitHub in 2019, shows up consistently in cyberattacks, most commonly distributed through spam campaigns, phishing and malicious ads, but also via exploited software vulnerabilities in more targeted operations, Nikola Knežević, malware researcher at ESET, told CyberScoop.

“Over the past year alone, we have detected activity consistent with tens of thousands of unique infected machines associated with AsyncRAT and its variants,” Knežević said.

AsyncRAT remains the most widely deployed, but other variants have been widely distributed, accounting for a significant number of attacks linked to the tree of remote access trojans. ESET telemetry determined DcRat is the most widely distributed fork, accounting for 24% of unique sample infections, followed by VenomRAT at 8%.

“Of all the forks we’ve come across, we believe VenomRAT to be one of the more concerning ones, largely due to its enhanced stealth, plethora of plugins and offensive capabilities,” Knežević said. “Unlike its simpler cousin, DcRat, VenomRAT integrates many of its features directly into the client, reducing reliance on external modules and making it more self-contained. It is also frequently bundled with phishing kits and deployed in multi-stage attacks.”

ESET identified multiple forks of AsyncRAT in its report, noting that some clones that authors publicly acknowledged as jokes, have been observed in the wild. 

“The uniqueness of AsyncRAT or its variants doesn’t lie in any single technical feature, but rather the sheer scale and fluidity of its evolution. Unlike other open-source modular remote access trojans, AsyncRAT has spawned an unusually large number of forks, ranging from serious threats like VenomRAT and DcRat to novelty variants like SantaRAT,” Knežević said.

AsyncRAT includes common remote access trojan functionalities, including keylogging, screen capturing and credential theft, but additional capabilities have popped up in various forks over time. 

“This diversity makes it more challenging to maintain consistent detection rules, as each fork may introduce altered configuration layouts, add new layers of obfuscation, or completely revamp the original codebase,” Knežević said.

Some forks, such as VenomRAT, could be considered and may appear as standalone malware because of the many features they contain, but they are all part of the same malware family, according to ESET. Defenders can usually identify forks in the malware’s configuration settings and values. 

“They share a common lineage and exhibit overlapping traits, such as similar configuration structures, encryption routines, and plugin architectures, which make them relatively easy to classify,” Knežević said. “Recognizing these shared characteristics is crucial for defenders, as it allows for more effective detection and attribution, even when the malware has been heavily obfuscated or superficially rebranded.”