S1087 AsyncRAT
AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.231
| Item | Value |
|---|---|
| ID | S1087 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 20 September 2023 |
| Last Modified | 10 October 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1622 | Debugger Evasion | AsyncRAT can use the CheckRemoteDebuggerPresent function to detect the presence of a debugger.1 |
| enterprise | T1568 | Dynamic Resolution | AsyncRAT can be configured to use dynamic DNS.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | |
AsyncRAT can hide the execution of scheduled tasks using ProcessWindowStyle.Hidden.1 |
|||
| enterprise | T1105 | Ingress Tool Transfer | AsyncRAT has the ability to download files over SFTP.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | AsyncRAT can capture keystrokes on the victim’s machine.4 |
| enterprise | T1680 | Local Storage Discovery | AsyncRAT can check the disk size through the values obtained with DeviceInfo.1 |
| enterprise | T1106 | Native API | AsyncRAT has the ability to use OS APIs including CheckRemoteDebuggerPresent.1 |
| enterprise | T1057 | Process Discovery | AsyncRAT can examine running processes to determine if a debugger is present.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | AsyncRAT can create a scheduled task to maintain persistence on system start-up.1 |
| enterprise | T1113 | Screen Capture | AsyncRAT has the ability to view the screen on compromised hosts.4 |
| enterprise | T1033 | System Owner/User Discovery | AsyncRAT can check if the current user of a compromised system is an administrator. 1 |
| enterprise | T1125 | Video Capture | AsyncRAT can record screen content on targeted systems.4 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1018 | TA2541 | 5231 |
References
-
Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. ↩↩↩↩↩↩↩↩↩↩
-
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. ↩↩
-
Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. ↩↩
-
Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. ↩↩↩↩↩
-
Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. ↩