The Evolution of the AsyncRAT Ecosystem: Certificate and Infrastructure Analysis- image 1

The Evolution of the AsyncRAT Ecosystem: Certificate and Infrastructure Analysis

The article is also available at:
Ukrainian, Azerbaijani, Kazakh, Russian

Open source has accelerated the development of not only legitimate software, but also tools for cyberattacks. The AsyncRAT Remote Access Trojan has evolved into a sprawling ecosystem boasting about 40 known variants since its publication. Cybersecurity specialist Aidan Holland from company Censys investigated this structure, demonstrating the scale of cloning and malicious code development. Instead of continuous signature updates, defenders can exploit the architectural vulnerabilities of the attackers themselves for effective threat detection.

The Evolution of the AsyncRAT Ecosystem: Certificate and Infrastructure Analysis - image 1
EVOLUTION OF CODE

Branching and Expanding the RAT Family

AsyncRAT was first published on the GitHub platform in January 2019 by a developer under the pseudonym NYAN-x-CAT as a large-scale rework of the older Quasar RAT project. From this root version, numerous branches emerged. The largest offspring became DCRAT (DarkCrystal RAT), which in turn formed the basis for VenomRAT. This cascading process of creating new versions led to the emergence of dozens of specific trojans, including LMTeamRAT, EchoRAT, BitRAT, and Alfa Red Fox. Such multi-level branching of code presents a complex problem for security teams, which are forced to constantly adapt detection bases to new modifications instead of eliminating the root cause.

VULNERABILITY INDICATORS

Certificate Patterns as Detection Markers

Despite the complexity of the entire ecosystem, architectural uniformity has become a weak point for cybercriminals. Analysis confirmed that each new trojan variant primarily inherits the TLS certificate structure of its predecessor without significant changes. The central marker for identifying this family has become the combination of fields “O=<Name> By <author>, L=SH, C=CN,” initiated by DCRAT. Using this combination on non-standard ports allows identification of the C2 live environment even when the specific malware version lacks its own branding. Experts note that certificate metadata remains the most reliable surface for detection, as the names of assembly authors or parent programs remain unchanged.

ACTIVITY ANALYSIS

Infrastructure Distribution by Frequency

The scale of ecosystem deployment remains extremely uneven depending on the specific variant. According to inspection results, the basic version of AsyncRAT holds the largest presence, encompassing about 49 confirmed hosts. Its descendant DCRAT operates on approximately 36 control servers, and Gh0stRAT (created based on DCRAT) uses over 20 hosts. The study also revealed that specific collector pseudonyms, such as “qwqdanchun” or “alexeikun,” often appear in certificate fields, optimizing the process of tracking large-scale campaigns.

SPECIFIC VARIANTS

Significance of Low-Active Trojans

A separate category consists of narrowly targeted variants that are often launched on a single active host, or have no confirmed live infrastructure at the time of inspection. Examples include LMTeamRAT, ElegyRAT, CyberSpike, and JasonRAT. The importance of these individual trojans lies in their metadata, which contains combinations of identifiers that are not easily spoofed. For example, the certificate for LMTeamRAT unequivocally points to both the parent branch VenomRAT and a specific developer. Monitoring these less active nodes is extremely important, as they can be indicators of preparations for targeted attacks on enterprises.

MONITORING OPTIMIZATION

False Positive Problems

Exclusively using variant names to track threats has significant limitations. Unique names like ArchosaurRAT or ShiningForceRAT create clear queries, generating a minimal amount of false positives. At the same time, searching under more general names leads to critical conflicts with legitimate organizations. For example, requests about PhoenixRAT intersect with industrial equipment of the Phoenix Contact GmbH company, and results for PegasusRAT get lost in the information noise from NSO Group products. Therefore, detection systems need a verified sample of the certificate or control panel contents, not just a name match.

The evolution of the AsyncRAT ecosystem demonstrates the need to transition from classic file signature blocking to tracking infrastructure patterns. Malefactors will continue to create new code branches, yet their reliance on outdated TLS certificate structures remains a powerful tool for defense teams. Analyzing this metadata can significantly increase the efficiency of detecting C2 environments.

iIT Distribution is a distributor of solutions for information security and IT infrastructure. The iITD expert team provides comprehensive support during consulting, design, deployment, and configuration of advanced Threat Intelligence systems. Collaboration with iIT Distribution guarantees qualified support at all stages of partner projects, helping teams adapt to the evolving threat landscape.

News

Current news on your topic

All news
All news