Analysis and Interdiction of Attack Campaigns: AsyncRAT

Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye:

The file “astro-grep-setup.exe.doc” (available on Any.Run here) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called “AstroGrep” (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT. This technique is known as using a “binder” putting two apps in one, see it in action on YouTube here and on GitHub here.

Using the built-in features by the sandbox we can see the process tree utilised in the RAT attack:

We can see that WINDWORD.EXE drops ms.exe, which leads to two files: ASTRO-GREP.EXE (the malware) and ASTROGREP_SETUP_V4.4.7.EXE (the legitimate installer): 

  • Document: astro-grep-setup.exe.doc
    • SHA256: 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
    • Abuse.ch – available here
  • Executable: ms.exe
    • SHA256: d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
    • Abuse.ch – available here
  • Executable: ASTRO-GREP.EXE
    • SHA256: 17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb
    • Abuse.ch – available here
  • Installer: astrogrep_setup_v4.4.7.exe
    • SHA256:  5c4faebe335fee04b25b10aa2a0e580571388bde2cc09e133c72d9d01bc09423
    • Legitimate app – VT here, Sourceforge here

Threat Cartography

If you have been reading my blog or following me on Twitter It is no secret that one of my favourite parts about threat analysis is mapping campaigns. I like to use several platforms for this including VirusTotal, Maltego, and draw.io, among others. Using the IOCs we have gathered from the sandbox I investigated the infrastructure used by the threat actor further. Using the VirusTotal relations tab I (admittedly with the help of @Arkbird_SOLG who beat me to it 😉) was able to locate the C&C server used to deliver the second stage payload: 

The file ASTRO-GREP.EXE contained a Pastebin link, which concealed the C&C server IP address and Port used by the RAT operator. Interestingly enough, the same C&C server has been used by other payloads, indicating it is the attacker’s main staging server:

https://www.virustotal.com/graph/embed/g52dc5f726d0e429d98199a321e44576161b63b81157146ecad9e698f9a85504e

We now have a clearer picture of the scope of the campaign and additional IOCs to prevent any further attacks from this infrastructure. Although the other EXEs were not necessarily used in these attack, they are malicious and I would consider blocking them too.

Research

Further investigation into the malware samples used in this campaign revealed some more interesting features. According to VirusTotal, the file ASTRO-GREP.EXE was created on 2020-05-10 yet the document was created on 2021-07-17. It turns out the first file (the second stage payload) has been seen before by VirusTotal several months ago and was previously called Stub.exe. This could indicate that the threat actor behind these attacks has not altered the payload for other campaigns, but is changing the delivery technique. This does, however, benefit defenders as it is much more likely to get detected by AV/EDR tools if it has been seen previously before in the wild. 

Also, you may have missed it, but the Pastebin link contained a username and the number of how many times it was viewed. Using this information we can tell the threat actor is called “Serverconnector” and, at the time of finding it, the link had been visted 671 times! I submitted a takedown and Pastebin suspended it within 24 hrs:


Additional Resources: