{"id":201196,"date":"2024-09-19T04:24:59","date_gmt":"2024-09-19T11:24:59","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=201196"},"modified":"2025-05-29T00:05:18","modified_gmt":"2025-05-29T07:05:18","slug":"cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/","title":{"rendered":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware"},"content":{"rendered":"<p><em>Authored by Neil Tyagi<\/em><\/p>\n<p>In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces is a recent AsyncRAT variant, a sophisticated remote access trojan (RAT) that\u2019s been making waves by marketing itself as cracked software. This tactic plays on the desire for free access to premium software, luring users into downloading what appears to be a harmless application. However, beneath the surface lies dangerous malware designed to infiltrate systems, steal sensitive information, and give cybercriminals complete control over infected devices.<\/p>\n<p>In this blog, we\u2019ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat.<\/p>\n<p>McAfee telemetry data shows this threat has been in the wild since March 2024 and is prevalent with infected hosts worldwide.<\/p>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200272 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/map.jpg\" alt=\"\" width=\"915\" height=\"531\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/map.jpg 915w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/map-300x174.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/map-768x446.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/map-205x119.jpg 205w\" sizes=\"auto, (max-width: 915px) 100vw, 915px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We have many initial vectors for this chain, masquerading as different software<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200302 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure1.jpg\" alt=\"\" width=\"489\" height=\"340\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure1.jpg 489w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure1-300x209.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure1-186x129.jpg 186w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Theme: CCleaner. Hash: 6f976e1b53271178c2371bec7f64bd9cf2a2f936dc9670c40227c9d7ea56b8e6<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200317 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure2.jpg\" alt=\"\" width=\"554\" height=\"370\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure2.jpg 554w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure2-300x200.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure2-193x129.jpg 193w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Theme: Sidify Music Converter. Hash: 9aaabe9807f9ba1ad83bbb33b94648d32054f9dc575a5b77f92876d018eed91c<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200347 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure3.jpg\" alt=\"\" width=\"633\" height=\"365\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure3.jpg 633w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure3-300x173.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure3-205x118.jpg 205w\" sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Theme: Ease US Partition Master. Hash: 84521572d3baeb218996daa3ab13be288b197095a677940146bf7a0285b71306<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200362 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure34.jpg\" alt=\"\" width=\"564\" height=\"377\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure34.jpg 564w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure34-300x201.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/lure34-193x129.jpg 193w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Theme: YouTube Downloader Hash: 00a1afd74d1a40593539a4e9115ab4c390cad9024d89931bd40d4279c95e9b6a<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200257 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/1.jpg\" alt=\"\" width=\"539\" height=\"250\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/1.jpg 539w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/1-300x139.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/1-205x95.jpg 205w\" sizes=\"auto, (max-width: 539px) 100vw, 539px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Asyncrat is coming in the theme of AnyDesk software. HASH: 2f1703c890439d5d6850ea1727b94d15346e53520048b694f510ed179c881f72<\/li>\n<li>In this blog, we will analyze the AnyDesk-themed malware; the other noted themes are similar in nature.<\/li>\n<li>Also, note that the setup.dll file shown in the above pictures is the same as it has the same hash.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200392 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2.jpg\" alt=\"\" width=\"1099\" height=\"734\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2.jpg 1099w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2-300x200.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2-1024x684.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2-768x513.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/2-193x129.jpg 193w\" sizes=\"auto, (max-width: 1099px) 100vw, 1099px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Anydesk 8.0.6 Portable.exe is a 64-bit .NET file. However, it is not the original Anydesk file; it is malware.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200407 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3.jpg\" alt=\"\" width=\"1096\" height=\"746\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3.jpg 1096w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3-300x204.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3-1024x697.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3-768x523.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/3-190x129.jpg 190w\" sizes=\"auto, (max-width: 1096px) 100vw, 1096px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Carried within the malware is an Anydesk.data file, the genuine anydesk application.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200422 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4.jpg\" alt=\"\" width=\"1202\" height=\"577\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4.jpg 1202w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4-300x144.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4-1024x492.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4-768x369.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/4-205x98.jpg 205w\" sizes=\"auto, (max-width: 1202px) 100vw, 1202px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can confirm that the Anydesk. data file has a valid digital signature from the publishers of Anydesk software.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200437 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5.jpg\" alt=\"\" width=\"1862\" height=\"953\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5.jpg 1862w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5-300x154.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5-1024x524.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5-768x393.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5-1536x786.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/5-205x105.jpg 205w\" sizes=\"auto, (max-width: 1862px) 100vw, 1862px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>When we rename the anydesk.data file to anydesk.exe, we can also see the anydesk software running.<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200452 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6.jpg\" alt=\"\" width=\"1545\" height=\"556\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6.jpg 1545w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6-300x108.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6-1024x369.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6-768x276.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6-1536x553.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/6-205x74.jpg 205w\" sizes=\"auto, (max-width: 1545px) 100vw, 1545px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Setup.dll is a bat file, as we can see in the above image<\/li>\n<li>We start debugging by putting the malicious AnyDesk executable into the Dnspy tool to review the source code.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200467 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7.jpg\" alt=\"\" width=\"1601\" height=\"672\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7.jpg 1601w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7-300x126.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7-1024x430.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7-768x322.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7-1536x645.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/7-205x86.jpg 205w\" sizes=\"auto, (max-width: 1601px) 100vw, 1601px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The primary function calls the IsAdmin function, which checks the current context of the running process. Based on this, it calls four functions in succession: AddExclusion, CopyAndRenameFile, RunScript, and ExecuteScript. We will check each function call separately.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200482 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/8.jpg\" alt=\"\" width=\"1025\" height=\"261\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/8.jpg 1025w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/8-300x76.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/8-768x196.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/8-205x52.jpg 205w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The AddExlusion function passes the above string into the RunHiddenCommand Function.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200542 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/12.jpg\" alt=\"\" width=\"965\" height=\"526\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/12.jpg 965w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/12-300x164.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/12-768x419.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/12-205x112.jpg 205w\" sizes=\"auto, (max-width: 965px) 100vw, 965px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Runhidden command will take that string, launch an instance of PowerShell, and execute that string as an argument.<\/li>\n<li>This will effectively add a Windows Defender scan exclusion for the entire C drive.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200497 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9.jpg\" alt=\"\" width=\"1412\" height=\"637\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9.jpg 1412w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9-300x135.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9-1024x462.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9-768x346.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/9-205x92.jpg 205w\" sizes=\"auto, (max-width: 1412px) 100vw, 1412px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>The CopyAndRenameFile Function will rename the setup.dll file to the setup.bat file and copy it to the appdata\\local\\temp folder.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200512 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/10.jpg\" alt=\"\" width=\"877\" height=\"288\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/10.jpg 877w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/10-300x99.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/10-768x252.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/10-205x67.jpg 205w\" sizes=\"auto, (max-width: 877px) 100vw, 877px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>After the bat file is copied to the temp folder, it will be executed using a process start call.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200527 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/11.jpg\" alt=\"\" width=\"915\" height=\"541\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/11.jpg 915w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/11-300x177.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/11-768x454.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/11-205x121.jpg 205w\" sizes=\"auto, (max-width: 915px) 100vw, 915px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Now, to convince the user that he has indeed opened the AnyDesk software, the AnyDesk.data file containing the original AnyDesk software will be renamed AnyDesk.exe.<\/li>\n<li>This is the whole purpose of the malware AnyDesk.exe file. Now, the attack chains move to execute the bat script, which we will analyze further.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200557 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13.jpg\" alt=\"\" width=\"1605\" height=\"500\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13.jpg 1605w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13-300x93.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13-1024x319.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13-768x239.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13-1536x479.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/13-205x64.jpg 205w\" sizes=\"auto, (max-width: 1605px) 100vw, 1605px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>The bat file uses dos obfuscation<\/li>\n<li>It is setting environment variables to be used later during execution.<\/li>\n<li>Also, lines 6 and 7 have two long comments and an encrypted payload.<\/li>\n<li>In line 13, it echoes something and pipes it to the %Ahmpty% environment variable.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200572 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14.jpg\" alt=\"\" width=\"1548\" height=\"743\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14.jpg 1548w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14-300x144.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14-1024x491.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14-768x369.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14-1536x737.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/14-205x98.jpg 205w\" sizes=\"auto, (max-width: 1548px) 100vw, 1548px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can easily deobfuscate the strings by launching an instance of cmd, executing the set commands, and echoing the contents of the variables.<\/li>\n<li>One thing to note here is that %variablename% will echo the entire contents of the variable, but %varibalename:string=% will replace any occurrence of \u201cstring\u201d in the contents of \u201cvariable name\u201d with a null character.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200587 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15.jpg\" alt=\"\" width=\"1832\" height=\"679\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15.jpg 1832w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15-300x111.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15-1024x380.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15-768x285.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15-1536x569.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/15-205x76.jpg 205w\" sizes=\"auto, (max-width: 1832px) 100vw, 1832px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>The above image is after deobfuscation of all strings and formatting of the script in a human-readable form.<\/li>\n<li>Script first sets @echo as off<\/li>\n<li>Then, it checks if the environment variable Ajlp is set. If not, it sets Ajlp to 1 and again starts the execution of the bat script (%0 contains the path to the same script) in minimized form, exiting the original script.<\/li>\n<li>Then we have our two comments, which later turn out to be encrypted payloads<\/li>\n<li>Then the script checks which version of PowerShell is present on the system because, for older versions of Windows, PowerShell is sometimes located in the syswow64 folder. For successful exploitation of those versions of Windows, this check is done<\/li>\n<li>Then, a long script is echoed at the end and piped for execution to PowerShell.<\/li>\n<li>One interesting thing to note is that %~0 is echoed as part of the script and passed to PowerShell for execution. This trick passes the path of the bat script to the PowerShell script for further processing.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200602 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/16.jpg\" alt=\"\" width=\"774\" height=\"183\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/16.jpg 774w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/16-300x71.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/16-768x182.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/16-205x48.jpg 205w\" sizes=\"auto, (max-width: 774px) 100vw, 774px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Difference b\/w contents of %0 and %~0 variable, you can notice they only differ in double quotes.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200617 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17.jpg\" alt=\"\" width=\"1899\" height=\"724\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17.jpg 1899w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17-300x114.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17-1024x390.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17-768x293.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17-1536x586.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/17-205x78.jpg 205w\" sizes=\"auto, (max-width: 1899px) 100vw, 1899px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Moving on to the PowerShell script, we can see it sets the PowerShell window title to the path of the bat script using the $host. UI.RawUI.WindowTitle call.<\/li>\n<li>As we saw before, this path of bat script was passed to it during echo of %~0 environment variable in bat script.<\/li>\n<li>Then we have some string replacement operations.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200632 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18.jpg\" alt=\"\" width=\"1230\" height=\"626\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18.jpg 1230w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18-300x153.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18-1024x521.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18-768x391.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/18-205x104.jpg 205w\" sizes=\"auto, (max-width: 1230px) 100vw, 1230px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see the contents of the variable after the string replacement operation is done. It is being used to hide strings with malicious intent, such as invoke, load,frombase64string, etc.<\/li>\n<li>Then we have a command to hide the PowerShell window<\/li>\n<li>Then we have two functions. The first one is used for AES decryption, and the second one is used for Gzip decompression<\/li>\n<li>Then, we have some operations that we will investigate in detail next.<\/li>\n<li>Then we have two calls to System.reflection.assembly, which reflectively loads the assembly into memory.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200647 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19.jpg\" alt=\"\" width=\"1588\" height=\"505\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19.jpg 1588w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19-300x95.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19-1024x326.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19-768x244.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19-1536x488.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/19-205x65.jpg 205w\" sizes=\"auto, (max-width: 1588px) 100vw, 1588px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>This is the deobfuscated and high-level view of the script for easy readability.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201145 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1.jpg\" alt=\"\" width=\"1244\" height=\"312\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1.jpg 1244w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1-300x75.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1-1024x257.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1-768x193.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/20-1-205x51.jpg 205w\" sizes=\"auto, (max-width: 1244px) 100vw, 1244px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see that the $lmyiu variable contains the contents of the entire bat file. It reads using the System.IO.File call, which takes a parameter of the path supplied through [console]: Title. We know the title was set to the path of the original bat script at the beginning.<\/li>\n<li>Now, indexes 5 and 6 are being read from the bat file, which translates to lines 5 and 6, which contain the comments (indexing starts from 0).<\/li>\n<li>Now, the first two characters are removed using substring to remove the two colons (::) which represent a comment in the bat file<\/li>\n<li>In the above image, we can see the output\u00a0of that line, which contains the comment.<\/li>\n<li>Now, the comment is converted from a base64 string and passed to a function that does AES decryption. The result is passed into a function that does GZIP decryption and stored in the assembly1 variable. The same thing happens for the second comment to get the second assembly.<\/li>\n<li>Once both assemblies are decrypted, they are reflectively loaded into memory using the System.reflection.assembly call.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200677 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21.jpg\" alt=\"\" width=\"1352\" height=\"509\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21.jpg 1352w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21-300x113.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21-1024x386.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21-768x289.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/21-205x77.jpg 205w\" sizes=\"auto, (max-width: 1352px) 100vw, 1352px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>We can dump the two decrypted assemblies onto the disk for further analysis, as shown in the above image.<\/li>\n<li>After writing to disk, we load both assemblies in CFF Explorer.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200692 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22.jpg\" alt=\"\" width=\"1132\" height=\"756\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22.jpg 1132w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22-300x200.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22-1024x684.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22-768x513.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/22-193x129.jpg 193w\" sizes=\"auto, (max-width: 1132px) 100vw, 1132px\" \/><\/center><\/p>\n<ul>\n<li>Assembly1 in CFFExplorer.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200707 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23.jpg\" alt=\"\" width=\"1138\" height=\"745\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23.jpg 1138w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23-300x196.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23-1024x670.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23-768x503.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/23-197x129.jpg 197w\" sizes=\"auto, (max-width: 1138px) 100vw, 1138px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Assembly2 in CFFExplorer.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200722 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24.jpg\" alt=\"\" width=\"1819\" height=\"883\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24.jpg 1819w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24-300x146.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24-1024x497.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24-768x373.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24-1536x746.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/24-205x100.jpg 205w\" sizes=\"auto, (max-width: 1819px) 100vw, 1819px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We load both assemblies into Dnspy for further debugging.<\/li>\n<li>We can see that both assemblies are heavily obfuscated using Confuser Packer, and their contents are not easily readable for analysis.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>This is intended to slow down the debugging process.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200737 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25.jpg\" alt=\"\" width=\"1172\" height=\"781\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25.jpg 1172w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25-300x200.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25-1024x682.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25-768x512.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/25-194x129.jpg 194w\" sizes=\"auto, (max-width: 1172px) 100vw, 1172px\" \/><\/li>\n<li>We will use the .NET reactor slayer to deobfuscate the two assemblies. This will remove the confusing obfuscation and give us readable assemblies.<\/li>\n<li>We use it for both assemblies and write the deobfuscated versions to disk.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200752 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26.jpg\" alt=\"\" width=\"1734\" height=\"620\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26.jpg 1734w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26-300x107.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26-1024x366.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26-768x275.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26-1536x549.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/26-205x73.jpg 205w\" sizes=\"auto, (max-width: 1734px) 100vw, 1734px\" \/><\/center><\/p>\n<ul>\n<li>When we load the assemblies into Dnspy, we see they have cleaned up nicely, and confuser obfuscation is entirely removed.<\/li>\n<li>We can see first it checks the console title of the current process.<\/li>\n<li>We can also see a few anti-debugging API calls, IsDebuggerPresent and CheckRemoteDebuggerPresent. If any of these calls return true, the program exists.<\/li>\n<li>After that, there is a call to smethod_3<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200782 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28.jpg\" alt=\"\" width=\"1465\" height=\"588\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28.jpg 1465w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28-300x120.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28-1024x411.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28-768x308.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/28-205x82.jpg 205w\" sizes=\"auto, (max-width: 1465px) 100vw, 1465px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Inspecting the smethod_3 function, we see some encrypted strings, all of which are being passed as arguments to the smethod_0 function.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200797 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29.jpg\" alt=\"\" width=\"1354\" height=\"828\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29.jpg 1354w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29-300x183.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29-1024x626.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29-768x470.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/29-205x125.jpg 205w\" sizes=\"auto, (max-width: 1354px) 100vw, 1354px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>By checking the smethod_0 function, we get the StringBuilder function, which will be used to convert the encoded strings into readable form.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200812 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30.jpg\" alt=\"\" width=\"1299\" height=\"774\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30.jpg 1299w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30-300x179.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30-1024x610.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30-768x458.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/30-205x122.jpg 205w\" sizes=\"auto, (max-width: 1299px) 100vw, 1299px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>We put a breakpoint on the return call to see the decoded string being populated in the local window in case it is related to a scheduled task.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200857 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34.jpg\" alt=\"\" width=\"1234\" height=\"661\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34.jpg 1234w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34-300x161.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34-1024x549.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34-768x411.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/34-205x110.jpg 205w\" sizes=\"auto, (max-width: 1234px) 100vw, 1234px\" \/><\/center><\/p>\n<ul>\n<li>Checking further, we get the call where the assembly is being written to disk in the appdata\\Roaming folder with the name Network67895Man.cmd using the file.WriteAllBytes call. We can inspect the arguments in the local window.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200827 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31.jpg\" alt=\"\" width=\"1466\" height=\"642\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31.jpg 1466w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31-300x131.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31-1024x448.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31-768x336.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/31-205x90.jpg 205w\" sizes=\"auto, (max-width: 1466px) 100vw, 1466px\" \/><\/center><\/p>\n<ul>\n<li>In the above image, we see that the Network67895Man.cmd file is being executed using the process. Start call.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200872 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32.jpg\" alt=\"\" width=\"1125\" height=\"598\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32.jpg 1125w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32-300x159.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32-1024x544.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32-768x408.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/32-205x109.jpg 205w\" sizes=\"auto, (max-width: 1125px) 100vw, 1125px\" \/><\/center><\/p>\n<ul>\n<li>We can confirm that the hash of Network67895Man.cmd and our assembly are the same. We can also visually confirm that the file is in the appdata\\roaming folder.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200887 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33.jpg\" alt=\"\" width=\"1502\" height=\"686\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33.jpg 1502w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33-300x137.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33-1024x468.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33-768x351.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/33-205x94.jpg 205w\" sizes=\"auto, (max-width: 1502px) 100vw, 1502px\" \/><\/center><\/p>\n<ul>\n<li>Now that we see the persistence mechanism, we can see the return value of our string builder function related to the scheduled task.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200902 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1.jpg\" alt=\"\" width=\"1382\" height=\"305\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1.jpg 1382w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1-300x66.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1-1024x226.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1-768x169.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/35-1-205x45.jpg 205w\" sizes=\"auto, (max-width: 1382px) 100vw, 1382px\" \/><\/center><\/p>\n<ul>\n<li>We copy the complete string and inspect it in Notepad++. We see that the PowerShell command is used to schedule a task named \u2018OneNote 67895\u2019. This will trigger At Logon, and the action is the execution of the Network67895Man.cmd file with some more parameters.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200917 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36.jpg\" alt=\"\" width=\"1066\" height=\"404\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36.jpg 1066w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36-300x114.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36-1024x388.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36-768x291.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/36-205x78.jpg 205w\" sizes=\"auto, (max-width: 1066px) 100vw, 1066px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can confirm the task being scheduled in the Task Scheduler window.<\/li>\n<li>Moving on, see how the next stage is decrypted and loaded into memory<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200932 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/37.jpg\" alt=\"\" width=\"384\" height=\"283\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/37.jpg 384w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/37-300x221.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/37-175x129.jpg 175w\" sizes=\"auto, (max-width: 384px) 100vw, 384px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>One thing to observe here is that this assembly contains a resource named P, which turns out to contain the encrypted next-stage payload.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200947 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38.jpg\" alt=\"\" width=\"1042\" height=\"555\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38.jpg 1042w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38-300x160.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38-1024x545.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38-768x409.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/38-205x109.jpg 205w\" sizes=\"auto, (max-width: 1042px) 100vw, 1042px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Dumping the resource onto disk and checking its content, we see the encrypted payload bytes starting from 1F 8B 08 00\u2026<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200962 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39.jpg\" alt=\"\" width=\"1263\" height=\"594\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39.jpg 1263w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39-300x141.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39-1024x482.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39-768x361.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/39-205x96.jpg 205w\" sizes=\"auto, (max-width: 1263px) 100vw, 1263px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>In the local window, we can see the string P is being passed to the smethod_3 function, which will read the resource stream and the bytes of the P resource.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-200992 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40.jpg\" alt=\"\" width=\"1424\" height=\"681\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40.jpg 1424w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40-300x143.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40-1024x490.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40-768x367.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/40-205x98.jpg 205w\" sizes=\"auto, (max-width: 1424px) 100vw, 1424px\" \/><\/center><\/p>\n<ul>\n<li>We can confirm that the bytes have been read from the resource and can be seen in the local window in the result variable. We can see the same bytes, i.e., 1F 8B 08 00.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201007 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/41.jpg\" alt=\"\" width=\"993\" height=\"693\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/41.jpg 993w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/41-300x209.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/41-768x536.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/41-185x129.jpg 185w\" sizes=\"auto, (max-width: 993px) 100vw, 993px\" \/><\/center><\/p>\n<ul>\n<li>Now, we put a breakpoint on the load call and inspect the contents of the raw assembly variable to see the decrypted payload.<\/li>\n<li>We dump it on the desk for further inspection.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201022 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42.jpg\" alt=\"\" width=\"1115\" height=\"927\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42.jpg 1115w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42-300x249.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42-1024x851.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42-768x639.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/42-155x129.jpg 155w\" sizes=\"auto, (max-width: 1115px) 100vw, 1115px\" \/><\/center><\/p>\n<ul>\n<li>Checking it in CFF Explorer, we see this is also a 32-bit. net assembly file with internal name of stub.exe<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201037 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/43.jpg\" alt=\"\" width=\"351\" height=\"714\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/43.jpg 351w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/43-147x300.jpg 147w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/43-63x129.jpg 63w\" sizes=\"auto, (max-width: 351px) 100vw, 351px\" \/><\/center><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Putting it in Dnspy, we can see an unobfuscated Asyncrat client payload named AsyncClient.<\/li>\n<li>We can see all the functions in clear text, like Anti-analysis, Lime logger, mutex control, etc.<\/li>\n<li>This is the final Asyncrat client payload that we have got after so many layers of the attack chain.We will now see some interesting features of the Asyncrat payload.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201052 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44.jpg\" alt=\"\" width=\"1549\" height=\"699\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44.jpg 1549w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44-300x135.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44-1024x462.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44-768x347.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44-1536x693.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/44-205x93.jpg 205w\" sizes=\"auto, (max-width: 1549px) 100vw, 1549px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>We can see it has its own persistence mechanism, which checks if the file is running as admin. If true, it creates a scheduled task by launching cmd.exe; otherwise, it creates a run key in the Windows registry for persistence.<br \/>\n<center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201067 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45.jpg\" alt=\"\" width=\"1351\" height=\"593\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45.jpg 1351w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45-300x132.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45-1024x449.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45-768x337.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/45-205x90.jpg 205w\" sizes=\"auto, (max-width: 1351px) 100vw, 1351px\" \/><\/center><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>We can see the encrypted config of the Asyncrat client, including the port used, host, version, key, etc.<\/li>\n<\/ul>\n<p><center><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-201082 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46.jpg\" alt=\"\" width=\"1538\" height=\"687\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46.jpg 1538w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46-300x134.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46-1024x457.jpg 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46-768x343.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46-1536x686.jpg 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/46-205x92.jpg 205w\" sizes=\"auto, (max-width: 1538px) 100vw, 1538px\" \/><\/center><\/p>\n<ul>\n<li>We can see the decrypt method is called on each config parameter. In the above image, we have documented the Asyncrat CNC domain that it is using, orostros.mywire.org<\/li>\n<li>It turns out that this is a dynamic DNS service that the malware author is abusing to their advantage.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>In conclusion, the rise of AsyncRAT and its distribution via masquerading as cracked software highlights the evolving tactics, techniques, and procedures (TTPs) employed by cybercriminals. By exploiting the lure of free software, these attackers are gaining unauthorized access to countless systems, jeopardizing sensitive information and digital assets.<\/p>\n<p>Understanding these TTPs is crucial for anyone looking to protect themselves from such threats. However, awareness alone isn\u2019t enough. To truly safeguard your digital presence, it\u2019s essential to use reliable security solutions. McAfee antivirus software offers comprehensive protection against various threats, including malware like AsyncRAT. With real-time scanning, advanced threat detection, and continuous updates, McAfee ensures your devices remain secure from the latest cyber threats.<\/p>\n<p>Don\u2019t leave your digital assets vulnerable. Equip yourself with the right tools and stay one step ahead of cybercriminals. Your security is in your hands\u2014make it a priority today.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One&#8230;<\/p>\n","protected":false},"author":695,"featured_media":201129,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-201196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-19T11:24:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-29T07:05:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware\",\"datePublished\":\"2024-09-19T11:24:59+00:00\",\"dateModified\":\"2025-05-29T07:05:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\"},\"wordCount\":2101,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\",\"name\":\"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png\",\"datePublished\":\"2024-09-19T11:24:59+00:00\",\"dateModified\":\"2025-05-29T07:05:18+00:00\",\"description\":\"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog","description":"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog","og_description":"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-09-19T11:24:59+00:00","article_modified_time":"2025-05-29T07:05:18+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware","datePublished":"2024-09-19T11:24:59+00:00","dateModified":"2025-05-29T07:05:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/"},"wordCount":2101,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/","name":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png","datePublished":"2024-09-19T11:24:59+00:00","dateModified":"2025-05-29T07:05:18+00:00","description":"Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are being found. One of the latest menaces","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_051023.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cracked-software-or-cyber-trap-the-rising-danger-of-asyncrat-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=201196"}],"version-history":[{"count":6,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201196\/revisions"}],"predecessor-version":[{"id":214684,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/201196\/revisions\/214684"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/201129"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=201196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=201196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=201196"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=201196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}