Inside AsyncRAT: mapping the maze of malware forks

ESET Research traces how open-source AsyncRAT grew into a sprawling family of forks—and how defenders can tell them apart. While AsyncRAT’s individual features are fairly standard for a remote access trojan (RAT), its open, modular code has fueled rapid reuse, customization, and widespread abuse.

Key takeaways

• AsyncRAT’s codebase was likely influenced by Quasar RAT via shared AES and SHA cryptography classes, but it is not a direct fork.
• DcRat and VenomRAT dominate deployments, while numerous niche and novelty forks also appear in the wild.
• Simple forensic clues (Version fields, crypto salt, and client certificates) often reveal lineage; active C2 probing can help in harder cases.
• Lesser-known variants add unusual plugins, from jump-scare popups to USB worming and clipboard hijacking.
• Expect continued growth in obfuscation, modularity, and evasion; behavior-based detection is essential.

Where AsyncRAT began
Released on GitHub in 2019 by "NYAN CAT," AsyncRAT is a C# remote access trojan offering keylogging, screen capture, credential theft, and more. Its architecture—modular, plugin-ready, and easy to modify—helped it spread quickly. Code similarities in Aes256 and Sha256 classes link its roots to Quasar RAT (2015), suggesting influence rather than a straight fork. Over time, AsyncRAT added stealth and flexibility, accelerating copy-and-modify forks.

How the fork tree evolved

• DcRat: Moves to MessagePack for faster serialization, patches AMSI and ETW to evade detection, and kills security tools by name. Its rich plugin set adds webcam, mic, Discord token theft, prank tools, and even a simple AES-256 ransomware plugin. It also tweaks salts, renames variables, and uses dynamic API resolution.
• VenomRAT: Likely derived from DcRat, with a feature set substantial enough to stand alone but with a client similar to AsyncRAT.
• Joke forks (e.g., SantaRAT, BoratRAT): Comedy branding but observed in real attacks.

How analysts fingerprint forks

• Configuration fields: Many samples expose the fork name in a Version field within InitializeSettings. About 90% include meaningful identifiers.
• Crypto salt: Reused or overlooked salt values in Client.Algorithm.Aes256 can betray lineage.
• Client certificate: Base64-embedded certs often reveal CN/organization strings tied to specific forks.
• Active probing: A known handshake using a crafted packet can identify AsyncRAT servers when static clues are scrubbed.

Lesser-known variants worth noting

• NonEuclid RAT: Extends plugins beyond the usual set.
  • Screamer.dll: Sends timed jump-scare images with a WAV sound.
  • Piano.dll: Plays attacker-supplied audio files.
  • Service.dll: Manages Windows services.
  • Maps.dll: Collects geolocation (lat/long, username, computer name).
  • WormUsb.dll: Infects PE files by replacing them with a stub that carries both the original app and an attacker payload, compressing and encrypting both with a per-file key, then restoring the original icon/metadata and adding obfuscation. Targets individual files, personal folders, or removable drives.
  • Brute.dll: Client-side brute forcing for SSH and FTP; supports distributed attacks across many hosts.
  • Signature Antivirus.dll: Compares MD5s of executables against attacker-supplied hashes and deletes matches—useful for removing competitor malware.
  • cliper.dll: Clipboard hijacker with regex-based detection for cryptocurrency wallets and credit cards; replaces wallets with attacker-controlled addresses.
• JasonRAT: Uses renamed variables inspired by a so-called "Book of Jason," adds country targeting, and employs an extended Morse-code scheme to obfuscate selected strings.
• XieBroRAT: Chinese-localized fork with BrowserGhost.dll for browser credential theft and Abstain.dll for Cobalt Strike interaction. Ships via .NET binary, shellcode, VBS, or JavaScript; heavily borrows from open-source tools like mimikatz, SharpWifiGrabber, and SharpUnhooker.

Defensive notes and ATT&CK highlights

• Defense evasion: AMSI/ETW patching, process killing, dynamic API calls, obfuscated strings and configs.
• Credential access and collection: Browser credential theft, Discord tokens, clipboard monitoring, mic and webcam capture.
• Impact: Optional ransomware plugin encrypts files via AES-256.

Why this matters
Open-source malware lowers the barrier to entry. With LLM-assisted coding and abundant public forks, attackers can rapidly adapt, rename, and extend AsyncRAT derivatives. Expect more modular plugins, deeper anti-analysis, and broader delivery options. Countermeasures should lean on layered, behavior-based detection, certificate and config inspection, and known C2 handshake checks. IoCs for referenced samples are available via ESET’s GitHub.

Source: WeLiveSecurity