{"id":175774,"date":"2023-11-03T05:53:18","date_gmt":"2023-11-03T12:53:18","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=175774"},"modified":"2023-11-03T05:53:18","modified_gmt":"2023-11-03T12:53:18","slug":"unmasking-asyncrat-new-infection-chain","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/","title":{"rendered":"Unmasking AsyncRAT New Infection Chain"},"content":{"rendered":"

Authored by Lakshya Mathur<\/span> & Vignesh<\/span> Dhatchanamoorthy<\/span><\/em><\/p>\n

AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity.
\n<\/em><\/p>\n

McAfee Labs has observed a recent AsyncRAT campaign being distributed through a malicious HTML file. This entire infection strategy employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures.<\/p>\n

\"\"<\/p>\n

Figure 1 \u2013 AsyncRAT prevalence for the last one month<\/em><\/p>\n

Technical Analysis<\/strong><\/h2>\n

A recipient receives a spam email containing a nefarious web link. When accessed, this link triggers the download of an HTML file. Within this HTML file, an ISO file is embedded, and this ISO image file harbors a WSF (Windows Script File). The WSF file subsequently establishes connections with various URLs and proceeds to execute multiple files in formats such as PowerShell, VBS (VBScript), and BAT. These executed files are employed to carry out a process injection into RegSvcs.exe, a legitimate Microsoft .NET utility. This manipulation of RegSvcs.exe allows the attacker to covertly hide their activities within a trusted system application.<\/p>\n

Infection Chain
\n\"\"
\n<\/strong><\/p>\n

Figure 2 \u2013 Infection Chain<\/em><\/p>\n

Stage 1: Analysis of HTML & WSF file<\/strong><\/p>\n

The sequence begins with a malicious URL found within the email, which initiates the download of an HTML file. Inside this HTML file, an ISO file is embedded. Further JavaScript is utilized to extract the ISO image file.<\/p>\n

\"\"<\/p>\n

Figure 3 \u2013 Contents of HTML file<\/em><\/p>\n

\"\"<\/p>\n

Figure 4 \u2013 Extracted ISO file when HTML is run<\/em><\/p>\n

Within the ISO file is a WSF script labeled as “FXM_20231606_9854298542_098.wsf.” This file incorporates junk strings of data, interspersed with specific “<job>” and “<VBScript>” tags (as indicated in Figure 5 and highlighted in red). These tags are responsible for establishing a connection to the URL “hxxp:\/\/45.12.253.107:222\/f[.]txt” to fetch a PowerShell file.
\n\"\"<\/p>\n

Figure 5 \u2013 Contents of WSF file<\/em><\/p>\n

Stage 2: Analysis of PowerShell files<\/strong><\/p>\n

The URL “hxxp:\/\/45.12.253.107:222\/f[.]txt” retrieves a text file that contains PowerShell code.<\/p>\n

\"\"<\/p>\n

Figure 6 \u2013 Contents of the First PowerShell file<\/em><\/p>\n

The initial PowerShell code subsequently establishes a connection to another URL, “hxxp:\/\/45.12.253.107:222\/j[.]jpg,” and retrieves the second PowerShell file.<\/p>\n

\"\"<\/p>\n

Figure 7 \u2013 Contents of Second PowerShell file<\/em><\/p>\n

The PowerShell script drops four files into the ProgramData folder, including two PowerShell files, one VBS file, and one BAT file. The contents of these four files are embedded within this PowerShell script. It then proceeds to create a folder named “xral” in the ProgramData directory, where it writes and extracts these files, as depicted in Figure 8.
\n\"\"<\/p>\n

Figure 8 \u2013 Second PowerShell creating 4 files and writing content in them using [IO.File]::WriteAllText command<\/em><\/p>\n

\"\"<\/p>\n

Figure 9 \u2013 Files extracted in the \u201cProgramData\/xral\u201d folder<\/em><\/p>\n

Stage 3: Analysis of Files dropped in the ProgramData folder<\/strong><\/p>\n

Following this, the PowerShell script executes “xral.ps1,” which is responsible for establishing a scheduled task to achieve persistence. Additionally, it initiates the execution of the ” xral.vbs ” file.<\/p>\n

\"\"<\/p>\n

Figure 10 \u2013 Content of VBS file<\/em><\/p>\n

The VBS script proceeds to execute the “1.bat” file, which, in turn, is responsible for executing the final PowerShell script, “hrlm.ps1.”<\/p>\n

In a nutshell, after the second powershell, the execution goes like:<\/p>\n

xral.ps1 \u00a0->\u00a0 xral.vbs\u00a0 ->\u00a0 1.bat\u00a0 ->\u00a0 hrlm.ps1<\/p>\n

These various executions of different file types are strategically employed to circumvent both static and behavior-based antivirus detections.<\/p>\n

Stage 4: Analysis of the final PowerShell file<\/strong><\/p>\n

\"\"<\/p>\n

Figure 11 \u2013 Content of final PowerShell file<\/em><\/p>\n

As depicted in the preceding figure, this PowerShell file contains a PE (Portable Executable) file in hexadecimal format. This file is intended for injection into a legitimate process. In the second red-highlighted box, it’s evident that the attackers have obfuscated the process name, which will be revealed after performing a replacement operation. It is now evident that this PE file is intended for injection into “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe.” The process injection is accomplished through the Reflection Assembly load functionality of the PowerShell file, which allows access and invocation of .NET data from within PowerShell.<\/p>\n

After the process injection, the RegSvcs utility is initiated and executed without any additional parameters.<\/p>\n

Stage 5: Analysis of infected RegSvcs.exe<\/strong><\/p>\n

Once PowerShell successfully injects malicious code into RegSvcs, the compromised RegSvcs.exe runs, and the AsyncRAT server establishes a connection to it. The artifacts of this infected RegSvcs.exe running are illustrated in Figure 12.<\/p>\n

\"\"<\/p>\n

Figure 12 \u2013 AsyncRAT server strings in RegSvcs<\/p>\n

Further analysis uncovered that this sample possesses keylogging capabilities. It recorded all activities performed on the system after replication, storing this information in a “log.tmp” file within the TEMP folder for record-keeping purposes.<\/p>\n

\"\"<\/p>\n

Figure 13 \u2013 Log file created in %temp% folder logging all keystrokes<\/p>\n

Furthermore, this sample was actively engaged in the theft of credentials and browser-related data. Additionally, it attempted to search for cryptocurrency-related information, including data related to Bitcoin, Ethereum, and similar assets. The illicitly acquired data was being transmitted over TCP to the IP address 45[.]12.253.107 on port 8808.<\/p>\n

\"\"<\/p>\n

Figure 14 \u2013 TCP information of RegSvcs.exe<\/p>\n

Summary<\/strong><\/h2>\n

The infection chain begins with a malicious URL embedded in a spam email, leading to the download of an HTML file containing an ISO. Within the ISO file, a WSF script connects to external URLs and downloads a PowerShell script, which, in turn, initiates a series of non-PE file executions and ultimately injects a hexadecimal-encoded PE file into the legitimate “RegSvcs.exe.” This compromised process connects to an AsyncRAT server. The malware exhibits keylogging capabilities, records user activities, and steals credentials, browser data, and crypto-related information. Data is exfiltrated over TCP to an IP address and port. This intricate chain leverages diverse file types and obfuscation methods to avoid detection, ultimately resulting in the attackers gaining remote control and successfully stealing data.<\/p>\n

Indicator of Compromise (IOCs)<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
File<\/strong><\/td>\nSHA256\/URL<\/strong><\/td>\n<\/tr>\n
HTML<\/td>\n83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3<\/td>\n<\/tr>\n
ISO<\/td>\n97f91122e541b38492ca2a7c781bb9f6b0a2e98e5b048ec291d98c273a6c3d62<\/td>\n<\/tr>\n
WSF<\/td>\nac6c6e196c9245cefbed223a3b02d16dd806523bba4e74ab1bcf55813cc5702a<\/td>\n<\/tr>\n
PS1<\/td>\n0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531<\/td>\n<\/tr>\n
PS1<\/td>\nf123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99<\/td>\n<\/tr>\n
PS1<\/td>\n19402c43b620b96c53b03b5bcfeaa0e645f0eff0bc6e9d1c78747fafbbaf1807<\/td>\n<\/tr>\n
VBS<\/td>\n34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce<\/td>\n<\/tr>\n
BAT<\/td>\n1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08<\/td>\n<\/tr>\n
PS1<\/td>\n83b29151a192f868362c0ecffe5c5fabe280c8baac335c79e8950fdd439e69ac<\/td>\n<\/tr>\n
URL<\/td>\nhxxp:\/\/45.12.253[.]107:222\/f[.]txt<\/td>\n<\/tr>\n
hxxp:\/\/45.12.253[.]107:222\/j[.]jpg<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware…<\/p>\n","protected":false},"author":695,"featured_media":176164,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-175774","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nUnmasking AsyncRAT New Infection Chain | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for "Asynchronous Remote Access Trojan," is a sophisticated piece of malware\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unmasking AsyncRAT New Infection Chain | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for "Asynchronous Remote Access Trojan," is a sophisticated piece of malware\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-03T12:53:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Unmasking AsyncRAT New Infection Chain\",\"datePublished\":\"2023-11-03T12:53:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\"},\"wordCount\":1131,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\",\"name\":\"Unmasking AsyncRAT New Infection Chain | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png\",\"datePublished\":\"2023-11-03T12:53:18+00:00\",\"description\":\"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for \\\"Asynchronous Remote Access Trojan,\\\" is a sophisticated piece of malware\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Unmasking AsyncRAT New Infection Chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unmasking AsyncRAT New Infection Chain | McAfee Blog","description":"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for \"Asynchronous Remote Access Trojan,\" is a sophisticated piece of malware","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Unmasking AsyncRAT New Infection Chain | McAfee Blog","og_description":"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for \"Asynchronous Remote Access Trojan,\" is a sophisticated piece of malware","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2023-11-03T12:53:18+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Unmasking AsyncRAT New Infection Chain","datePublished":"2023-11-03T12:53:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/"},"wordCount":1131,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/","name":"Unmasking AsyncRAT New Infection Chain | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png","datePublished":"2023-11-03T12:53:18+00:00","description":"Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for \"Asynchronous Remote Access Trojan,\" is a sophisticated piece of malware","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/11\/300x200_Blog_AsyncRAT-1.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/unmasking-asyncrat-new-infection-chain\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Unmasking AsyncRAT New Infection Chain"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/175774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=175774"}],"version-history":[{"count":6,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/175774\/revisions"}],"predecessor-version":[{"id":176192,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/175774\/revisions\/176192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/176164"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=175774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=175774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=175774"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=175774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}