Levelblue analysis also highlighted the encrypted configuration file of safe asyncrat with AES-256, including instructions to connect a DuckDNS-based command and control (C2) server. C2 communication used custom packet formats on TCP, a method usually used for flexibility and theft.
AsyncRAT grant operators provide access to powerful features: Kestroke logging, browser credential theft, clipboard monitoring and system monitoring. Levelblue published a list of indicators of the agreement (IOC) for defenders to add to its scanner. Additional normal best practices may include blocking malicious domains, hunting for powerful one-liners and in-memory .NET reflective loads, monitoring for AMSI/ETW tampering, and suspected scheduled work construction.
The danger actors of the danger are bending towards the rapid file -free intrusion, drawn by their cool execution and reliable consequences. At the beginning of this year, the attackers were caught using a similar technique, a malicious VBSCript phishing that eventually distributed the popular Remocos Rat in-memory on the afflicted machines.
