Reborn in Rust: Attempt to thwart malware analysis
AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin installation, code execution, and persistence. It installs via scheduled tasks or temporary directory copying, stores plugins in the registry, and communicates with command and control servers over TLS. The Rust variant supports fewer commands compared to its .NET counterpart, suggesting ongoing development. The malware collects system information, including hardware ID, OS details, and antivirus software presence. Debug strings in the samples indicate active development of this Rust version.
AI Analysis
Technical Summary
AsyncRAT is a remote access trojan (RAT) that has been active since 2019, originally implemented in C#. The recent development involves a significant rewrite of AsyncRAT in the Rust programming language. This transition aims to complicate reverse engineering and malware analysis efforts because Rust currently lacks the mature and widely adopted reverse engineering tools available for C# and .NET binaries. Despite the language shift, the Rust variant retains core functionalities such as plugin installation, arbitrary code execution, and persistence mechanisms. Persistence is achieved by creating scheduled tasks or copying itself into temporary directories. Plugins are stored in the Windows registry, allowing modular expansion of capabilities. Communication with command and control (C2) servers is conducted over TLS-encrypted channels, enhancing stealth and evasion of network detection mechanisms. The Rust variant currently supports fewer commands than its predecessor, indicating it is under active development and may expand capabilities over time. The malware collects detailed system information, including hardware identifiers, operating system details, and the presence of antivirus software, which can be used for environment reconnaissance and tailoring attacks. Debug strings found in samples confirm ongoing development efforts. Indicators of compromise (IOCs) include specific file hashes and domains used for C2 communication, such as backup-tlscom.sytes.net, magic-telecom.ddns.net, and mohsar.ddns.net. No known exploits leveraging this Rust variant are reported in the wild yet, and the threat is assessed at a medium severity level due to its evolving nature and potential for stealthy persistence and control.
Potential Impact
For European organizations, the emergence of AsyncRAT rewritten in Rust presents a nuanced threat. The use of Rust complicates traditional malware analysis and detection, potentially allowing infections to persist longer undetected. Organizations relying on endpoint detection and response (EDR) tools optimized for .NET or C# malware may experience reduced detection efficacy. The RAT's capability to install plugins and execute arbitrary code means attackers can customize payloads for espionage, data exfiltration, or lateral movement within networks. The collection of system and antivirus information enables attackers to identify high-value targets and evade security controls. The use of TLS for C2 communications further hinders network-based detection. While no widespread exploitation is currently reported, the active development status suggests the threat could escalate. European sectors with critical infrastructure, government agencies, and enterprises with sensitive intellectual property are at risk of targeted attacks leveraging this RAT. The medium severity rating reflects the current limited command set and lack of known exploits but underscores the need for vigilance as the malware evolves.
Mitigation Recommendations
To mitigate the threat posed by the Rust variant of AsyncRAT, European organizations should implement targeted strategies beyond generic best practices. First, enhance endpoint monitoring to include heuristic and behavioral analysis capable of detecting suspicious scheduled task creation and unusual registry modifications, particularly those involving plugin storage. Deploy advanced threat detection solutions that incorporate Rust binary analysis capabilities or integrate threat intelligence feeds containing the provided IOCs (file hashes and C2 domains) for proactive blocking. Network defenses should be configured to monitor and inspect TLS traffic for anomalies, using SSL/TLS interception where legally permissible, to detect encrypted C2 communications. Implement strict application whitelisting to prevent unauthorized execution of unknown binaries, especially in temporary directories. Regularly audit scheduled tasks and registry keys for unauthorized entries. Employ threat hunting exercises focusing on the identified domains and hashes. Additionally, maintain up-to-date asset inventories to correlate hardware IDs and OS details collected by the malware, facilitating anomaly detection. Finally, collaborate with cybersecurity information sharing organizations to stay informed about updates to AsyncRAT’s capabilities and emerging detection techniques.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: 6e30074c693574294be7ed2aea600afe
- hash: 7914e60dda14160299423bcdf6d01a473387d2e0
- hash: eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459
- domain: backup-tlscom.sytes.net
- domain: magic-telecom.ddns.net
- domain: mohsar.ddns.net
Reborn in Rust: Attempt to thwart malware analysis
Description
AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin installation, code execution, and persistence. It installs via scheduled tasks or temporary directory copying, stores plugins in the registry, and communicates with command and control servers over TLS. The Rust variant supports fewer commands compared to its .NET counterpart, suggesting ongoing development. The malware collects system information, including hardware ID, OS details, and antivirus software presence. Debug strings in the samples indicate active development of this Rust version.
AI-Powered Analysis
Technical Analysis
AsyncRAT is a remote access trojan (RAT) that has been active since 2019, originally implemented in C#. The recent development involves a significant rewrite of AsyncRAT in the Rust programming language. This transition aims to complicate reverse engineering and malware analysis efforts because Rust currently lacks the mature and widely adopted reverse engineering tools available for C# and .NET binaries. Despite the language shift, the Rust variant retains core functionalities such as plugin installation, arbitrary code execution, and persistence mechanisms. Persistence is achieved by creating scheduled tasks or copying itself into temporary directories. Plugins are stored in the Windows registry, allowing modular expansion of capabilities. Communication with command and control (C2) servers is conducted over TLS-encrypted channels, enhancing stealth and evasion of network detection mechanisms. The Rust variant currently supports fewer commands than its predecessor, indicating it is under active development and may expand capabilities over time. The malware collects detailed system information, including hardware identifiers, operating system details, and the presence of antivirus software, which can be used for environment reconnaissance and tailoring attacks. Debug strings found in samples confirm ongoing development efforts. Indicators of compromise (IOCs) include specific file hashes and domains used for C2 communication, such as backup-tlscom.sytes.net, magic-telecom.ddns.net, and mohsar.ddns.net. No known exploits leveraging this Rust variant are reported in the wild yet, and the threat is assessed at a medium severity level due to its evolving nature and potential for stealthy persistence and control.
Potential Impact
For European organizations, the emergence of AsyncRAT rewritten in Rust presents a nuanced threat. The use of Rust complicates traditional malware analysis and detection, potentially allowing infections to persist longer undetected. Organizations relying on endpoint detection and response (EDR) tools optimized for .NET or C# malware may experience reduced detection efficacy. The RAT's capability to install plugins and execute arbitrary code means attackers can customize payloads for espionage, data exfiltration, or lateral movement within networks. The collection of system and antivirus information enables attackers to identify high-value targets and evade security controls. The use of TLS for C2 communications further hinders network-based detection. While no widespread exploitation is currently reported, the active development status suggests the threat could escalate. European sectors with critical infrastructure, government agencies, and enterprises with sensitive intellectual property are at risk of targeted attacks leveraging this RAT. The medium severity rating reflects the current limited command set and lack of known exploits but underscores the need for vigilance as the malware evolves.
Mitigation Recommendations
To mitigate the threat posed by the Rust variant of AsyncRAT, European organizations should implement targeted strategies beyond generic best practices. First, enhance endpoint monitoring to include heuristic and behavioral analysis capable of detecting suspicious scheduled task creation and unusual registry modifications, particularly those involving plugin storage. Deploy advanced threat detection solutions that incorporate Rust binary analysis capabilities or integrate threat intelligence feeds containing the provided IOCs (file hashes and C2 domains) for proactive blocking. Network defenses should be configured to monitor and inspect TLS traffic for anomalies, using SSL/TLS interception where legally permissible, to detect encrypted C2 communications. Implement strict application whitelisting to prevent unauthorized execution of unknown binaries, especially in temporary directories. Regularly audit scheduled tasks and registry keys for unauthorized entries. Employ threat hunting exercises focusing on the identified domains and hashes. Additionally, maintain up-to-date asset inventories to correlate hardware IDs and OS details collected by the malware, facilitating anomaly detection. Finally, collaborate with cybersecurity information sharing organizations to stay informed about updates to AsyncRAT’s capabilities and emerging detection techniques.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.gdatasoftware.com/fileadmin/_processed_/3/d/G_DATA_Blog_AsyncRAT_Rust_Title_1ec19f22af.jpg","https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust","https://feeds.feedblitz.com/~/918988475/0/gdatasecurityblog-en~Reborn-in-Rust-AsyncRAT-makes-a-move-to-counter-analysis"]
- Adversary
- AsyncRAT
- Pulse Id
- 68346595ae982472dd23e2a0
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash6e30074c693574294be7ed2aea600afe | — | |
hash7914e60dda14160299423bcdf6d01a473387d2e0 | — | |
hasheb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459 | — |
Domain
Value | Description | Copy |
---|---|---|
domainbackup-tlscom.sytes.net | — | |
domainmagic-telecom.ddns.net | — | |
domainmohsar.ddns.net | — |
Threat ID: 6834841a0acd01a249288700
Added to database: 5/26/2025, 3:09:14 PM
Last enriched: 6/25/2025, 3:31:41 PM
Last updated: 8/12/2025, 7:38:39 PM
Views: 54
Related Threats
ThreatFox IOCs for 2025-08-14
MediumOn Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware
MediumA Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
MediumPhantomCard: New NFC-driven Android malware emerging in Brazil
MediumMalicious JavaScript Injects Fullscreen Iframe On a WordPress Website
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.