AsyncRAT in Action: UAC-0173’s Latest Advanced Antivirus Detection & Evasion Techniques

 

Summary

UAC-0173 is a threat actor group known for targeting Ukrainian organizations with sophisticated malware campaigns. One of their preferred tools is AsyncRAT. This report explores the antivirus detection and evasion techniques used by UAC-0173 in their AsyncRAT campaigns, providing insights into how defenders can detect.

Abuse.ch's Malware Bazaar is an excellent platform for sharing and analyzing malware samples. By contributing to the community, I’m helping to improve global cybersecurity defenses and I’ve uploaded the sample to share.

 

 

Technical analysis

 

Basic info

The sample hashs:

md5 e9cedc98677b6b5146b14009ced7d624

Sha1 1b6e14e578c613932496bfd49c616760bdceb2c1

 

Operation system: Windows (I386, 32-bit, EXEC]

Packer: no

 

 

Deploy main abilities

This client program, like other RATs, has its main abilities: checking VMs or sandboxes, killing processes, privilege escalation, and so on. The below will introduce them one by one.

 

 

Anti-Analysis

In order to anti analysis, as you know, WMI(Windows Management Instrumentation) is a powerful tool for managing and querying system information, and it is often used by system administrators, developers, and even malware authors. In latest variant, a new finding, it uses The query SELECT * FROM Win32_CacheMemory to retrieve information about the cache memory on a Windows system.  Win32_CacheMemory is a WMI class that represents the cache memory on a system. It provides details about the cache memory, such as its size, type, and status. Here It appears that it attempts to detect whether the code is running in a virtualized environment (e.g., a VM or sandbox).

Fig.1 WMI with Win32_CacheMemory

 

 

Killing processes

Like other malware, it is still in the same way and uses The CreateToolhelp32Snapshot function is a Windows API used to create a snapshot of specified processes, heaps, modules, or threads in the system, and it will kill these processes, including a mix of legitimate system utilities, antivirus components, and tools commonly, as follows:
Taskmgr.exe

ProcessHacker.exe

procexp.exe

MSASCui.exe

MsMpEng.exe

MpUXSrv.exe

MpCmdRun.exe

NisSrv.exe

ConfigSecurityPolicy.exe

MSConfig.exe

Regedit.exe

UserAccountControlSettings.exe

taskkill.exe

Retrieve Antivirus

It uses The query SELECT * FROM AntivirusProduct is a WMI query used to retrieve information about antivirus products installed on a Windows system.  This WMI class provides details about antivirus products installed on the system, such as the product name, version, and status.

Fig.2 WMI with AntivirusProduct 

 

 

Privilege Escalation
Malware often checks if the current user has administrative privileges to determine if it can perform privileged operations. Here is uses the specific RID 544 and other well-known RIDs (e.g., 545 for Users, 546 for Guests).

 

 

Bypass technique

The below snippet code appears to be attempting to disable or tamper with Windows' Antimalware Scan Interface (AMSI) by modifying the AmsiScanBuffer function in amsi.dll. This is a well-known technique used by malware to bypass Windows Defender and other security solutions. The strings encoded by base64.

Fig.3 disable with Windows' Antimalware Scan

 

 

 

Conclusion

From the above analysis, it appears that Windows Management Instrumentation (WMI) is widely used by malware for evasion techniques. UAC-0173 seems skillful and positive for this, Additionally, it is worth mentioning that many attack samples were written in. .net by UAC-0173.A more hidden threat around the digital world; let’s pay close attention.

 

 

IoCs

File:

md5 e9cedc98677b6b5146b14009ced7d624

Sha1 1b6e14e578c613932496bfd49c616760bdceb2c1

 

 

References

1.       hxxps[:]//cert.gov.ua/article/6282536

2.       hxxps[:]//bazaar.abuse.ch/user/18825/

End.