

Patchwork APT Group – Active IOCs
March 3, 2025
DarkCrystal RAT aka DCRat – Active IOCs
March 4, 2025
Patchwork APT Group – Active IOCs
March 3, 2025
DarkCrystal RAT aka DCRat – Active IOCs
March 4, 2025Severity
Meduim
Analysis Summary
AsyncRAT is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it provides keylogging, remote access, and other functionality that could damage a victim's computer or system. This tool can send malicious files to the system that can be a source of other malicious software once executed. These can also be used to transfer malicious programs into USB drives and can infect other systems. Numerous malware campaigns and threat actors have utilized AsyncRAT in various recent attacks. Recently, a social engineering campaign that targeted Thailand Pass (an online travel agency) consumers was observed. Additionally, the Follina Outbreak in Australia spread AsyncRAT as a malicious payload. AsyncRAT can be delivered through several techniques, including spear-phishing, malicious advertising, exploit kits, etc.
One of the key features of AsyncRAT is its use of advanced encryption and obfuscation techniques to evade detection by anti-malware software. It also can update itself and download additional modules or plugins, which can be used to add new features or expand its capabilities. To protect against AsyncRAT and similar malware, it's important to maintain up-to-date software and security patches, use strong access controls and passwords, and regularly back up important data. It's also recommended to use anti-malware software and to be cautious of suspicious emails or links. If a system is suspected of being infected with AsyncRAT, it's important to isolate it from the network and seek the assistance of a security professional.
Impact
- Unauthorized Access
- Information Theft
Indicators of Compromise
MD5
157a3f7a20b22e78c4d3f7ea88538ff7
4fc044304cc6300f4c616587d81b0244
5d37e31fe1b07076f070f06d7a2cf9fb
f19b26c89e1f24ef851ef90a957b005e
SHA-256
0ffd5b54317e01a658684577fee5d5c5f53d5b2e105e7cf8c1cdfd9bd8fee780
882693e145705dcc3ecc52d5fd5187cdf3ae6da1c67af12e229746b0d64e9454
ed83e0889ed251a46197ea2877dc74957a67551f746d64cda4dbd870b883db1d
41637b28731d8fb9ad25604473416f52ca9fc192918ef57a39b2a3f667f493ac
SHA1
5289f49becfab4122f62ac5dc5f4ed4a6430d1e3
2497c2a35feba85a5e7500e86f24d78b959b31b0
b0731819832701056f1799ee1f52a222fcb93b65
084b35e92e657597ad5d4dfe08eee5b9927c8115
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy.
- Enforce access management policies.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.