Reborn in Rust: Attempt to thwart malware analysis

May 26, 2025, 3:10 p.m.

Description

AsyncRAT, a remote access trojan known since 2019, has been rewritten in Rust, marking a shift from its original C# implementation. This change aims to complicate reverse engineering efforts due to limited analysis tool support for Rust. The malware retains its core functionality, including plugin installation, code execution, and persistence. It installs via scheduled tasks or temporary directory copying, stores plugins in the registry, and communicates with command and control servers over TLS. The Rust variant supports fewer commands compared to its .NET counterpart, suggesting ongoing development. The malware collects system information, including hardware ID, OS details, and antivirus software presence. Debug strings in the samples indicate active development of this Rust version.

External References

https://feeds.feedblitz.com/~/918988475/0/gdatasecurityblog-en~Reborn-in-Rust-AsyncRAT-makes-a-move-to-counter-analysis
https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust
https://www.gdatasoftware.com/fileadmin/_processed_/3/d/G_DATA_Blog_AsyncRAT_Rust_Title_1ec19f22af.jpg
https://otx.alienvault.com/pulse/68346595ae982472dd23e2a0
Tags
plugins
asyncrat
rust
command and control
remote access trojan
reverse engineering
system information
2025-05-26
tls
hardware id
rustyasyncrat

Date

  • Created: May 26, 2025, 12:59 p.m.
  • Published: May 26, 2025, 12:59 p.m.
  • Modified: May 26, 2025, 3:10 p.m.

Indicators

  • eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459
  • mohsar.ddns.net
  • magic-telecom.ddns.net
  • backup-tlscom.sytes.net
Download all indicators here!

Attack Patterns

  • RustyAsyncRAT
  • AsyncRAT
  • AsyncRAT