{"id":191243,"date":"2024-05-08T11:14:14","date_gmt":"2024-05-08T18:14:14","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=191243"},"modified":"2024-05-08T11:21:14","modified_gmt":"2024-05-08T18:21:14","slug":"from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/","title":{"rendered":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats"},"content":{"rendered":"

Authored by Yashvi Shah and Preksha Saxena<\/span><\/span><\/em><\/p>\n

AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware variant meticulously crafted to breach computer systems security and steal confidential data. McAfee Labs has recently uncovered a novel infection chain, shedding light on its potent lethality and the various security bypass mechanisms it employs.<\/p>\n

It utilizes a variety of file types, such as PowerShell, Windows Script File (WSF), VBScript (VBS), and others within a malicious HTML file. This multifaceted approach aims to circumvent antivirus detection methods and facilitate the distribution of infection.<\/p>\n

\"\"<\/center><\/p>\n

Figure 1: AsyncRAT prevalence for the last one month<\/em><\/p>\n

Infection Chain:<\/strong><\/h2>\n

The infection initiates through a spam email containing an HTML page attachment. Upon unwittingly opening the HTML page, an automatic download of a Windows Script File (WSF) ensues. This WSF file is deliberately named in a manner suggestive of an Order ID, fostering the illusion of legitimacy and enticing the user to execute it. Subsequent to the execution of the WSF file, the infection progresses autonomously, necessitating no further user intervention. The subsequent stages of the infection chain encompass the deployment of Visual Basic Script (VBS), JavaScript (JS), Batch (BAT), Text (TXT), and PowerShell (PS1) files. Ultimately, the chain culminates in a process injection targeting aspnet_compiler.exe.<\/p>\n

\"\"<\/center><\/p>\n

Figure 2: Infection Chain<\/em><\/p>\n

Technical Analysis<\/strong><\/h2>\n

Upon opening a spam email, the recipient unwittingly encounters a web link embedded within its contents. Upon clicking on the link, it triggers the opening of an HTML page. Simultaneously, the page initiates the download of a WSF (Windows Script File), setting into motion a potentially perilous sequence of events.<\/p>\n

\"\"<\/center><\/p>\n

Figure 3:HTML page<\/em><\/p>\n

The HTML file initiates the download of a WSF file. Disguised as an order-related document with numerous blank lines, the WSF file conceals malicious intent. \u00a0After its execution, no user interaction is required.<\/p>\n

On executing wsf, we get the following process tree:<\/p>\n

\"\"<\/center><\/p>\n

Figure 4: Process tree<\/em><\/p>\n

Commandlines:
\n<\/strong><\/h2>\n

\"\"<\/center>
<\/center>Upon investigation, we discovered the presence of code lines in wsf file that facilitate the download of another text file.<\/p>\n

\"\"<\/center><\/p>\n

Figure 5:Content of wsf file<\/em><\/p>\n

The downloaded text file, named “1.txt,” contains specific lines of code. These lines are programmed to download another file, referred to as “r.jpg,” but it is actually saved in the public folder under the name “ty.zip.” Subsequently, this zip file is extracted within the same public folder, resulting in the creation of multiple files.<\/p>\n

\"\"<\/center><\/p>\n

Figure 6: Marked files are extracted in a public folder<\/em><\/p>\n

Infection sequence:<\/strong><\/h2>\n

a) The “ty.zip” file comprises 17 additional files. Among these, the file named “basta.js” is the first to be executed. The content of \u201cbasta.js\u201d is as follows:<\/p>\n

\"\"<\/center><\/p>\n

Figure 7: basta.js<\/em><\/p>\n

b) \u201cbasta.js\u201d invoked \u201cnode.bat\u201d<\/strong> file from the same folder.<\/p>\n

\"\"<\/center><\/p>\n

Figure 8: node.js<\/em><\/p>\n

Explaining the command present in node.bat:<\/p>\n

    \n
  • $tr = New-Object -ComObject Schedule.Service;\n
      \n
    • This creates a new instance of the Windows Task Scheduler COM object.<\/li>\n<\/ul>\n<\/li>\n
    • $tr.Connect();\n
        \n
      • This connects to the Task Scheduler service.<\/li>\n<\/ul>\n<\/li>\n
      • $ta = $tr.NewTask(0);\n
          \n
        • This creates a new task object.<\/li>\n<\/ul>\n<\/li>\n
        • $ta.RegistrationInfo.Description = ‘Runs a script every 2 minutes’;\n
            \n
          • This sets the description of the task.<\/li>\n<\/ul>\n<\/li>\n
          • $ta.Settings.Enabled = $true;\n
              \n
            • This enables the task.<\/li>\n<\/ul>\n<\/li>\n
            • $ta.Settings.DisallowStartIfOnBatteries = $false;\n
                \n
              • This allows the task to start even if the system is on battery power.<\/li>\n<\/ul>\n<\/li>\n
              • $st = $ta.Triggers.Create(1);\n
                  \n
                • This creates a trigger for the task. The value 1 corresponds to a trigger type of “Daily”.<\/li>\n<\/ul>\n<\/li>\n
                • $st.StartBoundary = [DateTime]::Now.ToString(‘yyyy-MM-ddTHH:mm:ss’);\n
                    \n
                  • This sets the start time for the trigger to the current time.<\/li>\n<\/ul>\n<\/li>\n
                  • $st.Repetition.Interval = ‘PT2M’;\n
                      \n
                    • This sets the repetition interval for the trigger to 2 minutes.<\/li>\n<\/ul>\n<\/li>\n
                    • $md = $ta.Actions.Create(0);\n
                        \n
                      • This creates an action for the task. The value 0 corresponds to an action type of “Execute”.<\/li>\n<\/ul>\n<\/li>\n
                      • $md.Path = ‘C:\\Users\\Public\\app.js’;\n
                          \n
                        • This sets the path of the script to be executed by the task.<\/li>\n<\/ul>\n<\/li>\n
                        • $ns = $tr.GetFolder(‘\\’);\n
                            \n
                          • This gets the root folder of the Task Scheduler.<\/li>\n<\/ul>\n<\/li>\n
                          • $ns.RegisterTaskDefinition(‘cafee’, $ta, 6, $null, $null, 3);\n
                              \n
                            • This registers the task definition with the Task Scheduler. The task is named “cafee”. The parameters 6 and 3 correspond to constants for updating an existing task and allowing the task to be run on demand, respectively.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                              To summarize, the command sets up a scheduled task called “cafee” which is designed to execute the “app.js” script found in the C:\\Users\\Public\\ directory every 2 minutes. The primary purpose of this script is to maintain persistence on the system.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 9: Schedule task entry<\/em><\/p>\n

                              c) Now \u201capp.js<\/strong>\u201d is executed and it executes \u201ct.bat<\/strong>\u201d from the same folder.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 10:app.js<\/em><\/p>\n

                              d) \u201ct.bat\u201d<\/strong> has little obfuscated code which after concatenating becomes: \u201cPowershell.exe -ExecutionPolicy Bypass -File “”C:\\Users\\Public\\t.ps1\u201d<\/em><\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 11: Content of t.bat<\/em><\/p>\n

                              e) Now the powershell script \u201ct.ps1\u201d is invoked. This is the main script that is responsible for injection.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 12: Content of t.ps1<\/em><\/p>\n

                              There are 2 functions defined in it:<\/p>\n

                              A) function fun_alosh()
                              \nThis function is used in the last for decoding $tLx and $Uk<\/p>\n

                              B) Function FH ()
                              \nThis function is used only once to decode the content of \u201cC:\\\\Users\\\\Public\\\\Framework.txt\u201d. This function takes a binary string as input, converts it into a sequence of ASCII characters, and returns the resulting string.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 13: Content of Framework.txt<\/em><\/p>\n

                              After decoding the contents of “C:\\Users\\Public\\Framework.txt” using CyberChef, we are able to reveal the name of the final binary file targeted for injection.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 14: Binary to Hex, Hex to Ascii Conversion using CyberChef<\/em><\/p>\n

                              This technique aims to evade detection by concealing suspicious keywords within the script. Same way other keywords are also stored in txt files, such as:<\/p>\n

                              Content of other text files are:<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 15: Content of other files<\/em><\/p>\n

                              After replacing all the names and reframing sentences. Below is the result.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 16: Injection code<\/em><\/p>\n

                              Now, the two variables left are decrypted by fun_alosh.<\/p>\n

                              After decrypting and saving them, it was discovered that both files are PE files, with one being a DLL ($tLx) and the other an exe ($Uk).<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 17: Decoded binaries<\/em><\/p>\n

                              Process injection in aspnet_compiler.exe.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 18:\u00a0 Process injection in aspnet_compiler.exe<\/em><\/p>\n

                              Once all background tasks are finished, a deceptive Amazon page emerges solely to entice the user.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 19: Fake Amazon page<\/em><\/p>\n

                              Analysis of Binaries:<\/strong><\/h2>\n

                              The Dll file is packed with confuserEX and as shown, the type is mentioned \u2018NewPE2.PE\u2019 and Method is mentioned \u2018Execute\u2019.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 20: Confuser packed DLL<\/em><\/p>\n

                              The second file is named AsyncClient123 which is highly obfuscated.<\/p>\n

                              \"\"<\/center><\/p>\n

                              Figure 21: AsyncRat payload<\/em><\/p>\n

                              To summarize the main execution flow of “AsyncRAT”, we can outline the following steps:<\/p>\n

                                \n
                              • Initialize its configuration (decrypts the strings).<\/li>\n
                              • Verifies and creates a Mutex (to avoid running duplicated instances).<\/li>\n
                              • If configured through the settings, the program will automatically exit upon detecting a virtualized or analysis environment.<\/li>\n
                              • Establishes persistence in the system.<\/li>\n
                              • Collect data from the victim’s machine.<\/li>\n
                              • Establish a connection with the server.<\/li>\n<\/ul>\n

                                The decrypting function is used to decrypt strings.<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 22: Decrypting Function<\/em><\/p>\n

                                The program creates a mutex to prevent multiple instances from running simultaneously.<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 23: Creating Mutex<\/em><\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 24: Mutex in process explorer<\/em><\/p>\n

                                Checking the presence of a debugger.<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 25: Anti analysis code<\/em><\/p>\n

                                Collecting data from the system.<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 26: Code for collecting data from system<\/em><\/p>\n

                                Establish a connection with the server.<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 27: Code for C2 connection<\/em><\/p>\n

                                Process injection in aspnet_compiler.exe:<\/p>\n

                                \"\"<\/center><\/p>\n

                                Figure 28: C2 communication<\/em><\/p>\n

                                Conclusion:<\/strong><\/h2>\n

                                In this blog post, we dissect the entire attack sequence of AsyncRAT, beginning with an HTML file that triggers the download of a WSF file, and culminating in the injection of the final payload. Such tactics are frequently employed by attackers to gain an initial foothold. We anticipate a rise in the utilization of these file types following Microsoft’s implementation of protections against malicious Microsoft Office macros, which have also been widely exploited for malware delivery. McAfee labs consistently advise users to refrain from opening files from unknown sources, particularly those received via email. For organizations, we highly recommend conducting security training for employees and implementing a secure web gateway equipped with advanced threat protection. This setup enables real-time scanning and detection of malicious files, enhancing organizational security.<\/p>\n

                                Mitigation:<\/strong><\/h2>\n

                                Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:<\/p>\n

                                  \n
                                • Verify Sender Information<\/li>\n
                                • Think Before Clicking Links and Warnings<\/li>\n
                                • Check for Spelling and Grammar Errors<\/li>\n
                                • Be Cautious with Email Content<\/li>\n
                                • Verify Unusual Requests<\/li>\n
                                • Use Email Spam Filters<\/li>\n
                                • Check for Secure HTTP Connections<\/li>\n
                                • Delete Suspicious Emails<\/li>\n
                                • Keep Windows and Security Software Up to date<\/li>\n
                                • Use the latest and patched version of Acrobat reader<\/li>\n<\/ul>\n

                                  IOCs (Indicators of compromise):<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                  File<\/strong><\/td>\nSHA256<\/strong><\/td>\n<\/tr>\n
                                  HTML<\/strong><\/td>\n969c50f319a591b79037ca50cda55a1bcf2c4284e6ea090a68210039034211db<\/td>\n<\/tr>\n
                                  WSF<\/td>\nec6805562419e16de9609e2a210464d58801c8b8be964f876cf062e4ab52681a<\/td>\n<\/tr>\n
                                  ty.zip<\/td>\ndaee41645adcf22576def12cb42576a07ed5f181a71d3f241c2c14271aad308b<\/td>\n<\/tr>\n
                                  basta.js<\/td>\n909ec84dfa3f2a00431a20d4b8a241f2959cac2ea402692fd46f4b7dbf247e90<\/td>\n<\/tr>\n
                                  node.bat<\/td>\n569e33818e6af315b5f290442f9e27dc6c56a25259d9c9866b2ffb4176d07103<\/td>\n<\/tr>\n
                                  app.js<\/td>\n7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81<\/td>\n<\/tr>\n
                                  t.bat<\/td>\ne2d30095e7825589c3ebd198f31e4c24e213d9f43fc3bb1ab2cf06b70c6eac1d<\/td>\n<\/tr>\n
                                  t.ps1<\/td>\na0c40aa214cb28caaf1a2f5db136bb079780f05cba50e84bbaeed101f0de7fb3<\/td>\n<\/tr>\n
                                  exe<\/td>\n0d6bc7db43872fc4d012124447d3d050b123200b720d305324ec7631f739d98d<\/td>\n<\/tr>\n
                                  dll<\/td>\nb46cd34f7a2d3db257343501fe47bdab67e796700f150b8c51a28bb30650c28f<\/td>\n<\/tr>\n
                                  URL<\/td>\nhxxp:\/\/142.202.240[.]40:222\/1.txt<\/td>\n<\/tr>\n
                                  URL<\/td>\nhxxp:\/\/142.202.240[.]40:222\/r.jpg<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                                   <\/p>\n","protected":false},"excerpt":{"rendered":"

                                  Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as “Asynchronous Remote Access Trojan,” represents a highly sophisticated malware…<\/p>\n","protected":false},"author":695,"featured_media":191679,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-191243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nFrom Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as "Asynchronous Remote Access Trojan," represents a highly sophisticated malware variant\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as "Asynchronous Remote Access Trojan," represents a highly sophisticated malware variant\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-08T18:14:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-08T18:21:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats\",\"datePublished\":\"2024-05-08T18:14:14+00:00\",\"dateModified\":\"2024-05-08T18:21:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\"},\"wordCount\":1608,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\",\"name\":\"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png\",\"datePublished\":\"2024-05-08T18:14:14+00:00\",\"dateModified\":\"2024-05-08T18:21:14+00:00\",\"description\":\"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as \\\"Asynchronous Remote Access Trojan,\\\" represents a highly sophisticated malware variant\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog","description":"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as \"Asynchronous Remote Access Trojan,\" represents a highly sophisticated malware variant","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog","og_description":"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as \"Asynchronous Remote Access Trojan,\" represents a highly sophisticated malware variant","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-05-08T18:14:14+00:00","article_modified_time":"2024-05-08T18:21:14+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats","datePublished":"2024-05-08T18:14:14+00:00","dateModified":"2024-05-08T18:21:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/"},"wordCount":1608,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/","name":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png","datePublished":"2024-05-08T18:14:14+00:00","dateModified":"2024-05-08T18:21:14+00:00","description":"Authored by Yashvi Shah and Preksha Saxena AsyncRAT, also known as \"Asynchronous Remote Access Trojan,\" represents a highly sophisticated malware variant","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/05\/300x200_Blog_062223.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/191243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=191243"}],"version-history":[{"count":7,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/191243\/revisions"}],"predecessor-version":[{"id":191715,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/191243\/revisions\/191715"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/191679"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=191243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=191243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=191243"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=191243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}