10/10/2024

Malware by the (Bit)Bucket: Unveiling AsyncRAT

Unveiling AsyncRAT Malware

Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket.

An analysis by Lovely Antonio & Lance Go 

We wanted to learn how Bitbucket is exploited to download the payload. Several layers of base64 were used to hide the code from plain sight. After peeling back those layers we wer able to uncover the full story and key indicators of compromise (IOCs) we found while analyzing the AsyncRAT payload delivery. 

Using Bitbucket as a Malware Repository

A three-stage process diagram showing the execution of a malware payload. Stage 1 involves a VBScript obfuscation layer running "DEMANDA LABORAL.VBS" that triggers a PowerShell script. Stage 2 downloads and decodes a .NET file, checks for flags, and executes additional scripts, eventually downloading and running the AsyncRAT malware in Stage 3.
Execution sequence of AsyncRAT deployment (click to enlarge)

Attackers have turned to Bitbucket, a popular code hosting platform, to host their malicious payloads. Some examples of malware utilizing bitbucket includes Predator stealer, Azorult stealer and STOP ransomware. This approach presents several advantages for the attackers: 

  • Legitimacy: Bitbucket is a widely used platform for legitimate software development and collaboration, making it less likely to raise suspicion among security solutions. 

  • Accessibility: Bitbucket public repositories allow attackers to easily share and distribute their payloads to a wide audience. 

AsyncRAT exploits various attack vectors, including phishing emails with malicious attachments [1], drive-by downloads from compromised websites, and exploit kits targeting software vulnerabilities.  

 

Stage 1: The VBScript Obfuscation Layer

A sample named “01 DEMANDA LABORAL.vbs”[1] was submitted to our sample submission platform for analysis.  The VBS file upon initial inspection shows what appears to be gibberish (see figure 2). Upon closer inspection, a hidden code can be found within the file (see figure 3). 

The script is designed to obfuscate and execute a PowerShell command. It utilizes string manipulation, Base64 encoding, and powershell -command execution to achieve its goal. The code reveals that a variable “QpWJ” (seen in figure 3) is encoded in Base64 together with a simple character replace.  

Figure 2: File submitted named 01 DEMANDA LABORAL.vbs (click to enlarge)
Figure 3: Removed padding reveals VBScript. (click to enlarge)

Stage 2: PowerShell: The Payload Delivery Mechanism

The VBScript constructs and executes a PowerShell command, effectively transitioning the attack to the next stage. The decoded PowerShell command provides a clearer picture of the malicious activity (see figures 4 and 5).

Figure 4: Decoding “QpWJ” using Cyberchef (click to enlarge)
Figure 5: Decoded PowerShell script (click to enlarge)
Figure 6: Virustotal of Bitbucket repository of dllhope.txt (click to enlarge)

The code (figure 5) downloads a file named dllhope.txt[2] from a Bitbucket repository. It is also worth noting that VirusTotal marked the URLs used by the script to be associated with AsyncRAT (see figure 6). 

Opening the ClassLibrary3.dll [3] file in DNSpy reveals the code and the method “ZxKHG” together with the six parameters needed. The passed arguments can be found in the initial script [1]. 

The method parameters are as follows: 

  • _5 is a URL to fetch data from the reversed URL 
  •  'txt[.]pes4oivne/sdaolnwod/sds/cfrrpiaj/gro[.[tekcubtib//[:spxxh' 
  • (‘hxxps://bitbucket[.]org/jaiprrfc/sds/downloads/envio4sep[.]txt’) 
  • eMozMBl holds the full path of the VBScript file 
  • PdjLvfa is used for naming and creating shortcuts 
  • UmZbL contains the value '1', likely indicating a configuration setting or feature flag. 
  • MbmvK was not used by the method at the time of analysis 
  • RMMYL was not used by the method at the time of analysis 

The code section highlighted in Figure 8 is reflectively loaded using [system.AppDomain]::CurrentDomain.Load. This technique allows for in-memory execution, bypassing traditional security mechanisms that use pattern scanning on files. The ClassLibrary3.dll[3] reveals the core functionality of the attack, including persistence mechanisms and the execution of the downloaded payload - AsyncRAT. A flag parameter, UmZbL, dictates how the code will proceed. 

Figure 7. dllhope.txt - Base64-encoded downloaded from Bitbucket
Figure 7: dBase64-decoded dllhope.txt known as ClassLibrary3.dll

Decoding dllhope.txt[2] (see figure 7) reveals a .NET compiled file named as ClassLibrary3.dll[3] (see figures 8 and 9). 

Figure 8. ClassLibrary3 viewed in DNSpy

Anti-VM Check

If the flag parameter contains “4”: The code checks for the presence of virtualization tools like VMware or VirtualBox. If any of these processes are running, the method returns immediately, likely to avoid analysis in a sandboxed environment. 

Anti-virtualization check (click to enlarge)

Persistence Mechanisms:

If the flag parameter contains “1”, the code will attempt to establish persistence using two mechanisms: Registry Run Key and Startup Folder Shortcut. A script named “xx1.ps1” creates an entry in “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” for persistence while the other script named “xx2.vbs” runs the payload via a hidden PowerShell window. ClassLibrary3.dll[3] creates a shortcut in the Startup folder named PdjLvfa.lnk that points to powershell.exe with arguments to execute itself[1] in a hidden window. This provides an additional layer of persistence. 

Try to establish persistence using Registry Run Key (click to enlarge)
Trying to establish persistence using Startup Folder Shortcut

Payload Download and Execution:

The code downloads another payload from a URL that is constructed by reversing and decoding a string. The AsyncRAT download location is indicated at the end of the PowerShell script (seen in Figure 5): hxxps[:]//bitbucket[.]org/jaiprrfc/sds/downloads/envio4sep[.]txt.

Downloading AsyncRat payload

The downloaded payload is then Base64-decoded and loaded into the AppDomain. A method named WwQTZc within the SuLOYU.MXuuJb class of the loaded payload is invoked. This performs process hollowing to RegSvcs.exe to execute AsyncRAT payload. 

Stage 3: AsyncRAT Payload

AsyncRAT, first appearing in 2013, is an open-source Remote Access Trojan (RAT) written in C#. While initially presented as a remote administration tool, it quickly gained notoriety among cybercriminals for its powerful capabilities and ease of use. 

AsyncRAT provides attackers with extensive control over infected machines, enabling them to perform a wide range of malicious activities: 

  • Remote Desktop Control: View and control the victim's screen in real-time 
  • File Management: Browse, upload, download, and modify files 
  • Keylogging: Capture keystrokes 
  • Webcam and Microphone Access: Remotely activate the victim's webcam and microphone 
  • Process Management: View and terminate running processes 
  • Command Execution: Execute arbitrary commands 

MITRE ATT&CK TTPs

Tactic 

Technique 

ID 

Execution 

Command and Scripting Interpreter: Windows Command Shell 

T1059.003 

Execution 

Command and Scripting Interpreter: PowerShell 

T1059.001 

Persistence 

Boot Autostart Execution: Registry Run Keys / Startup Folder 

T1547 

Defense Evasion 

Obfuscated Files or Information 

T1027 

Defense Evasion 

Masquerading 

T1036 

Defense Evasion 

Deobfuscate/Decode Files or Information 

T1140 

Defense Evasion 

Process Injection 

T1055 

Defense Evasion 

Virtualization/Sandbox Evasion 

T1497 

Impact 

Remote Access Software 

T1219 

Collection 

Input Capture: Keylogging 

T1056.001 

Collection 

Screen Capture 

T1113 

Exfiltration 

Exfiltration Over C2 Channel 

T1041 

Credential Access 

Credential Dumping 

T1003 

Lateral Movement 

Remote Services: Remote Desktop Protocol 

T1021.001 

Impact 

Data Encrypted for Impact 

T148 

IOCs

 

SHA256 

Filename 

8fb6471b01c1d8122548d184ce5bceefae4df4ef0f1d1bb5c67b276c258e9125 

01 DEMANDA LABORAL.vbs 

E0d40dbc6be121cf62f222295ab1e01b5ce741d37d6c4b53f3beacb38a66e8e8 

dllhope.txt 

Ab3d8588b58152994d299fa57842798f3071cb0f550b37f1db8b42d56f8580f2 

ClassLibrary3.dll 

C929354d7972f2595d805507f8896609a7b7aae74566aef9a0a5cb16f36e4fe2 

enviosaaa.txt 

1826b8379fdfdcd53dec782fb390ed1f5e97ee7ed3b099e8c3eb5b040a992553 

Stub.exe 

 

URLS 

hXXps[:]//bitbucket.org/jaiprrfc/sds/downloads/envio4sep.txt 

hXXps[:]//bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt 

hXXps[:]//firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/Pe/PeHope.txt?alt=media&token=7fe13398-6aa2-43e8-992c-35095e035362 

References

[1] https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ 

[2] https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection 

To Blog
Share Article
G DATA Security Lab

G DATA Security Lab

Virus-Analyst Team

Share Article