LevelBlue’s analysis also uncovered AsyncRAT’s encrypted configuration file, secured with AES-256, which contained instructions to connect back to a DuckDNS-based command and control (C2) server. The C2 communication used custom packet formats over TCP, a method typically used for flexibility and evasion.
AsyncRAT grants operators access to powerful features: keystroke logging, browser credential theft, clipboard monitoring, and system surveillance. LevelBlue published a list of indicators of compromise (IoC) for defenders to add to their scanners. Additional general best practices may include blocking malicious domains, hunting for PowerShell one-liners and in-memory .NET reflective loads, monitoring for AMSI/ETW tampering, and suspicious scheduled task creation.
Threat actors are increasingly leaning toward fileless intrusions, drawn by their quiet execution and reliable results. Earlier this year, attackers were caught using a similar technique, phishing a malicious VBScript that ultimately delivered the popular Remcos RAT in-memory on victim machines.
