New Variant of AsyncRAT Malware Spreading Through Pirated Software

Cyber Security Threat Summary:
According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script). This script is designed to initiate an infection chain that leads to the deactivation of antivirus solutions on the compromised host, ultimately resulting in the deployment of the HotRat payload via a Visual Script loader.

“HotRat, described as a comprehensive RAT malware, comes with nearly 20 commands, each of which executes a .NET module retrieved from a remote server, allowing the threat actors behind the campaign to extend its features as and when required. That said, it's worth noting that the attack requires administrative privileges to successfully realize its goals” (The Hacker News, 2023).

Security Officer Comments:
Like AsyncRAT, HotRat comes with spying and personal data theft capabilities. This includes capabilities to steal login credentials and cryptocurrency wallets, capture the victim’s screen, log keystrokes entered by the victim, and load additional payloads. As mentioned above, the trojan is designed to locate and terminate Antivirus solutions including Avast, Malwarebytes, AVG, Avira, and McAfee to further evade defenses and evade detection. To maintain persistence on the victim’s system, a scheduled task is also created which periodically runs a VBS loader every two minutes designed to load the HotRat payload.

Suggested Correction(s):
Avoid downloading pirated software from torrent websites as threat actors will host such domains to infect unsuspecting users with malicious payloads. Organizations can specifically block malicious URLs that could be used to spread malware, preventing their employees from falling victim. Ensuring systems are periodically up to date and installing Antivirus solutions can also be beneficial in preventing potential infections.

Link(s):
https://thehackernews.com/2023/07/hotrat-new-variant-of-asyncrat-malware.html https://decoded.avast.io/