Detecting AsyncRAT Malware C2 With Zeek And Suricata

Please join the “Old Grizzled FBI Agent” to hear how you can detect the AsyncRAT malware family with Suricata and Zeek!

Corelight blog: https://corelight.com/blog/newsroom/news/hunt-of-the-month-detecting-async-rat-malware

Zeek: https://zeek.org/ Source code: https://github.com/corelight/zeek-asyncrat-detector

Transcript:

00:00:00:10 – 00:00:31:31
Grizzled FBI Agent
Hello. I’m your obligatory grizzled FBI agent. Never mind this gun and binoculars I have in my hand. These are just for my, and your, protection. Listen, I’m here to talk to you about a very serious subject: AsyncRAT. AsyncRAT is a malware family, and it uses HTTPS, which is encrypted to communicate with its command and control servers.

00:00:31:36 – 00:00:59:59
Grizzled FBI Agent
Now, usually that makes it very hard to detect, but there are some fine folks over at a company named Corelight that make a network sensor, and they have figured out how to detect this AsyncRAT. Let me show you how they did it. From now on, I’m going to be saying we. And you may wonder why. Well, I’m that close with the folks over at Corelight, and they invited me over to check out what they were doing.

00:00:59:59 – 00:01:33:01
Grizzled FBI Agent
So let me show you what they did. Okay. So the first thing that we did is we went to an online malware sandbox service called any dot run, and we found several samples of AsyncRAT there. Then, we downloaded the PCAPs, which are files of the network traffic when these malware samples were executed there. So we studied these PCAPs and we figured out, and I hope you bought a hat and you’re holding on,

00:01:33:06 – 00:01:59:04
Grizzled FBI Agent
AsyncRAT will announce itself when it communicates over HTTPS. Sounds pretty unbelievable, doesn’t it? Well, let me show you how it does this. The folks over at Corelight, they help maintain an open source project named Zeek. And I’ll put a link in the description here so you can go to that if you want to check it out. Zeek is an application to analyze your network data.

00:01:59:08 – 00:02:28:53
Grizzled FBI Agent
So you can write scripts in Zeek to detect things like AsyncRAT. Now when you run this PCAP through Zeek you’re going to get a log called the X509 dot log. And this is the log that describes the SSL certificates that go across that HTTPS encrypted connection that I talked about earlier. Now I don’t mean to brag, but I am friends with one of the people on Corelight Labs.

00:02:28:58 – 00:03:01:37
Grizzled FBI Agent
So he was telling me that when they discovered this, it about knocked them over. Look at this. You see this string over here? This AsyncRAT malware literally announces itself in the SSL certificates. And we can see that in Zeek’s X509 dot log. And immediately you should be asking me, hey, grizzled FBI agent, why does this malware announce itself?

00:03:01:41 – 00:03:38:07
Grizzled FBI Agent
Well, it’s because this malware is actually open source, meaning that anybody can go out there and grab the source code of this malware. And typically what people will do is they will compile this malware into an executable that runs on a computer, but they won’t change these default certificates that announce the malware as AsyncRAT. You would think this didn’t happen at all in practice, but my buddy over in Corelight Labs said he ran this detector on several customer networks and found hits. Lots of hits.

00:03:38:12 – 00:04:12:05
Grizzled FBI Agent
It’s important to note that when you detect AsyncRAT in this method, you’re going to be able to detect other variants that were based on AsyncRAT. There’s other variants out there named DCRat or SXN and Corelight notes this in their blog. Now my buddy over at Corelight also told me that even if I’m just running Zeek and I have historical logs, I can run commands like these and search my historical logs for any instances of the AsyncRAT server.

00:04:12:10 – 00:04:33:37
Grizzled FBI Agent
And you notice in this line that the signature is a little more complicated than just looking for AsyncRAT because we’re also looking for the variants like DC Rat and SXN. If you’re one of the fortunate people that keep your logs indexed, Corelight gives you some SIEM searches as well. So let’s get right down to it, shall we?

00:04:33:42 – 00:04:57:43
Grizzled FBI Agent
This is the Zeek code that Corelight released. Now it might look like a lot of code, but there’s really only two things you need to know out of this. The first is they’re looking at the SSL establish event. So they’re handling any of the HTTPS connections that we talked about earlier. The second is this is the regular expression that they’re looking for in the server certificate.

00:04:57:47 – 00:05:26:27
Grizzled FBI Agent
You can see all the AsyncRAT, DC and SXN markings that we talked about earlier. Lastly, when this regular expression is found in the SSL certificate, a notice will be generated. So you can go to your notice dot log and look at the line there. And it will tell you all about the AsyncRAT detection. If you’re not able to run Zeek and you have Suricata, you might be looking at this and saying ah crap.

00:05:26:32 – 00:05:51:48
Grizzled FBI Agent
Well, we got a solution for you too, so don’t worry. We wrote a Suricata rule that looks like this that basically does the same type of detection that we put together in Zeek, except it just uses the Suricata engine instead. Thank you for spending time today with this old grizzled FBI agent. Together. We can help fight against AsyncRAT.

00:05:51:53 – 00:05:57:03
Grizzled FBI Agent
I hope to see you again on one of our next videos.

Leave a Reply

Your email address will not be published. Required fields are marked *