AsyncRAT Campaigns Feature 3LOSH Crypter That Obfuscates Payloads

Ongoing malware distribution campaigns spread AsyncRAT, including the 3LOSH crypter across public repositories. Recent cybersecurity research analyzes the latest version of 3LOSH that is being used by adversaries to evade detection on devices in corporate environments. Besides AsyncRAT, a number of other commodity malware strains can be distributed by the same operator. The purpose of this spike in the use of crypters is to increase the operational effectiveness of RAT and, as a result, exfiltrate sensitive data.

Security analysts warn organizations that cyber-attacks may be leveraged by various threat actors, while the complexity of tools like the 3LOSH crypter is being continuously updated and improved. See our newest detections below which help to spot the latest activity of the 3LOSH crypter.

3LOSH Builder/Crypter Detection

The novel Sigma-based detection rule written by our prolific Threat Bounty Developer Kyaw Pyiyt Htet recognizes possible 3LOSH execution based on the availability of certain malicious files:

Suspicious 3LOSH (AsyncRAT) RAT Execution by Detection of Malicious Files (file_event)

This rule can be automatically converted to the following security solutions: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, Devo, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys, AWS OpenSearch.

The Sigma rule is mapped to the latest MITRE ATT&CK® version, addressing the Execution tactic and Command and Scripting Interpreter technique (T1059).

Since AsyncRAT and 3LOSH in their older versions were spotted by threat intelligence specialists before, you can avail of our previous detections and see if there is anything else you should add to your threat hunting routine. If you have your own exclusive approach to detecting cyber threats and strive to share your expertise with the world, you’re highly welcome to join our crowdsourcing initiative.

View Detections Join Threat Bounty

AsyncRAT Payloads and 3LOSH Analysis

A multi-stage infection process leveraged by AsyncRAT starts with VBScript code that is executed from an ISO file. The VBS uses junk data in its contents to obfuscate the code it executes with the help of string replacement. After deobfuscation of the code, this VBS contacts a C&C server to retrieve a PowerShell script for enabling the next stages of RAT execution.

During these stages, the malware might choose various directory locations and use various file names which are, nevertheless, functionally equivalent. Ultimately, the script scans the victim’s system, then creates a working directory for the malware in a certain location that resembles something common like C:\ProgramData\Facebook\System32\Microsoft\SystemData.

After that, additional scripts are created, triggering the execution of the “Office.vbs” file and moving on to the next step of the infection process. Most of the RAT’s objectives are performed in this third stage. For example, to establish persistence, another PowerShell script creates and immediately executes a new Scheduled Task with the name “Office” and repeats it every two minutes. The final payload may vary, yet most of the analyzed samples were AsyncRAT and LimeRAT.

Researchers conclude that 3LOSH crypter is a malware crypter that is currently under active development, being spread embedded in different commodity RATs. So the effective detection strategy should include the ability to spot the crypter independent of final payloads. Join SOC Prime’s Detection as Code platform to continuously stay updated on the new detection content and keep abreast of the current threats.