Skip to main content

Reborn in Rust: Attempt to thwart malware analysis

Medium
Published: Mon May 26 2025 (05/26/2025, 12:59:01 UTC)
Source: AlienVault OTX General

Description

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin installation, code execution, and persistence. It installs via scheduled tasks or temporary directory copying, stores plugins in the registry, and communicates with command and control servers over TLS. The Rust variant supports fewer commands compared to its .NET counterpart, suggesting ongoing development. The malware collects system information, including hardware ID, OS details, and antivirus software presence. Debug strings in the samples indicate active development of this Rust version.

AI-Powered Analysis

AILast updated: 06/25/2025, 15:31:41 UTC

Technical Analysis

AsyncRAT is a remote access trojan (RAT) that has been active since 2019, originally implemented in C#. The recent development involves a significant rewrite of AsyncRAT in the Rust programming language. This transition aims to complicate reverse engineering and malware analysis efforts because Rust currently lacks the mature and widely adopted reverse engineering tools available for C# and .NET binaries. Despite the language shift, the Rust variant retains core functionalities such as plugin installation, arbitrary code execution, and persistence mechanisms. Persistence is achieved by creating scheduled tasks or copying itself into temporary directories. Plugins are stored in the Windows registry, allowing modular expansion of capabilities. Communication with command and control (C2) servers is conducted over TLS-encrypted channels, enhancing stealth and evasion of network detection mechanisms. The Rust variant currently supports fewer commands than its predecessor, indicating it is under active development and may expand capabilities over time. The malware collects detailed system information, including hardware identifiers, operating system details, and the presence of antivirus software, which can be used for environment reconnaissance and tailoring attacks. Debug strings found in samples confirm ongoing development efforts. Indicators of compromise (IOCs) include specific file hashes and domains used for C2 communication, such as backup-tlscom.sytes.net, magic-telecom.ddns.net, and mohsar.ddns.net. No known exploits leveraging this Rust variant are reported in the wild yet, and the threat is assessed at a medium severity level due to its evolving nature and potential for stealthy persistence and control.

Potential Impact

For European organizations, the emergence of AsyncRAT rewritten in Rust presents a nuanced threat. The use of Rust complicates traditional malware analysis and detection, potentially allowing infections to persist longer undetected. Organizations relying on endpoint detection and response (EDR) tools optimized for .NET or C# malware may experience reduced detection efficacy. The RAT's capability to install plugins and execute arbitrary code means attackers can customize payloads for espionage, data exfiltration, or lateral movement within networks. The collection of system and antivirus information enables attackers to identify high-value targets and evade security controls. The use of TLS for C2 communications further hinders network-based detection. While no widespread exploitation is currently reported, the active development status suggests the threat could escalate. European sectors with critical infrastructure, government agencies, and enterprises with sensitive intellectual property are at risk of targeted attacks leveraging this RAT. The medium severity rating reflects the current limited command set and lack of known exploits but underscores the need for vigilance as the malware evolves.

Mitigation Recommendations

To mitigate the threat posed by the Rust variant of AsyncRAT, European organizations should implement targeted strategies beyond generic best practices. First, enhance endpoint monitoring to include heuristic and behavioral analysis capable of detecting suspicious scheduled task creation and unusual registry modifications, particularly those involving plugin storage. Deploy advanced threat detection solutions that incorporate Rust binary analysis capabilities or integrate threat intelligence feeds containing the provided IOCs (file hashes and C2 domains) for proactive blocking. Network defenses should be configured to monitor and inspect TLS traffic for anomalies, using SSL/TLS interception where legally permissible, to detect encrypted C2 communications. Implement strict application whitelisting to prevent unauthorized execution of unknown binaries, especially in temporary directories. Regularly audit scheduled tasks and registry keys for unauthorized entries. Employ threat hunting exercises focusing on the identified domains and hashes. Additionally, maintain up-to-date asset inventories to correlate hardware IDs and OS details collected by the malware, facilitating anomaly detection. Finally, collaborate with cybersecurity information sharing organizations to stay informed about updates to AsyncRAT’s capabilities and emerging detection techniques.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.gdatasoftware.com/fileadmin/_processed_/3/d/G_DATA_Blog_AsyncRAT_Rust_Title_1ec19f22af.jpg","https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust","https://feeds.feedblitz.com/~/918988475/0/gdatasecurityblog-en~Reborn-in-Rust-AsyncRAT-makes-a-move-to-counter-analysis"]
Adversary
AsyncRAT
Pulse Id
68346595ae982472dd23e2a0

Indicators of Compromise

Hash

ValueDescriptionCopy
hash6e30074c693574294be7ed2aea600afe
hash7914e60dda14160299423bcdf6d01a473387d2e0
hasheb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459

Domain

ValueDescriptionCopy
domainbackup-tlscom.sytes.net
domainmagic-telecom.ddns.net
domainmohsar.ddns.net

Threat ID: 6834841a0acd01a249288700

Added to database: 5/26/2025, 3:09:14 PM

Last enriched: 6/25/2025, 3:31:41 PM

Last updated: 8/15/2025, 5:35:17 AM

Views: 55

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats