Analysis of an AsyncRAT Variant from a ClickFix Powershell Script (Keylogger)

Listen to this Post

Featured Image
The article discusses a PowerShell script masquerading as a ClickFix Captcha, which ultimately delivers an AsyncRAT variant. The malware is heavily packed, with its configuration encoded in Base64 and AES encryption. It functions as a .NET loader and keylogger, posing significant risks to infected systems.

Source: Medium

You Should Know:

1. Detecting Malicious PowerShell Scripts

PowerShell is often abused by attackers. To detect suspicious activity, use:

 Log all PowerShell script execution (Admin rights needed) 
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force 
Enable-PSRemoting -Force 
Start-Transcript -Path "C:\PS_Logs\script_log.txt" -Append 

2. Analyzing Encoded Payloads

AsyncRAT uses Base64 + AES. To decode suspicious strings:

 Linux: Decode Base64 
echo "BASE64_STRING" | base64 -d

Check for AES encryption patterns (look for IV and key in code) 
openssl enc -d -aes-256-cbc -in encrypted.bin -out decrypted.txt -K KEY -iv IV 

3. Hunting AsyncRAT in Memory

AsyncRAT injects into .NET processes. Check running processes:

Get-Process | Where-Object { $_.Modules.ModuleName -like "AsyncRAT" } 

4. Keylogger Mitigation

Keyloggers capture keystrokes. Detect them via:

 Linux: Check loaded kernel modules 
lsmod | grep -i "keylogger"

Windows: Detect hidden keyloggers 
tasklist /v | findstr "log" 
wmic process where "name like '%log%'" get name,processid 

5. Network Traffic Analysis

AsyncRAT communicates with C2 servers. Monitor connections:

 Linux: Check active connections 
netstat -tulnp | grep -E "([0-9]{1,3}.){3}[0-9]{1,3}"

Windows: 
netstat -ano | findstr ESTABLISHED 

6. YARA Rule for Detection

Create a YARA rule to detect AsyncRAT:

rule AsyncRAT_Loader { 
meta: 
description = "Detects AsyncRAT .NET loader" 
strings: 
$a = "AsyncRAT" nocase 
$b = "AES" wide 
$c = "Keylogger" wide 
condition: 
any of them 
} 

What Undercode Say

AsyncRAT remains a persistent threat due to its modular design and encryption techniques. Defenders should:
– Monitor PowerShell execution logs
– Analyze memory for .NET injection
– Inspect network traffic for C2 beacons
– Use YARA/Sandboxing for detection

Expected Output:

  • Detection of malicious PowerShell scripts
  • Decrypted AsyncRAT configs
  • Identified keylogger processes
  • Blocked C2 communications

Prediction

AsyncRAT variants will continue evolving with better obfuscation, targeting both Windows and Linux systems. Expect increased use of living-off-the-land (LOTL) techniques, such as abusing legitimate tools like PsExec and WMI for stealthy execution.

IT/Security Reporter URL:

Reported By: Ktrl2 Analysis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram