AsyncRAT, Possible Lumma Stealer, & Ransomhub Ransomware

AsyncRAT is an open-source remote access tool that published on GitHub and adopted by several threat groups. The malware is capable of multiple actions (1, including:

• Capturing keystrokes on a victim’s machine;
• Examining currently running processes, to determine if a debugger is present on the targeted device;
• Creating scheduled tasks that maintain persistence on infected devices; and
• Recording screen content on infected devices.

AsyncRAT has been used by multiple threat groups and, therefore, post-incident attribution can be difficult. It is likely that AsyncRAT is deployed by threat actors of all skill-levels including APT groups (2) and ransomware operations (3).

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.

We base this assessment on internal Blackpoint observed incidents, such as this July 22nd incident against a Legal Services partner (4).

The APG’s assessment is augmented by external incident reports that detail the use of AsyncRAT to gain persistence, steal sensitive information, and deploy second stage payloads. For example:

• In August 2024, ConnectWise security researchers reported that AsyncRAT was the third-most common malware observed by the company in July 2024 (5).
• Also in August 2024, ReliaQuest security researchers reported that AsyncRAT remains one of their top malware variants observed in incidents (6).

The continued use of AsyncRAT to collect information, gain persistence, and deploy second-stage malware highlights threat actors’ determination to continue using the tool; it is likely that threat actors will continue to update and improve the tools capabilities over the next 12 months.

Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of AsyncRAT in your environment.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
  • Consider a refresher for your employees on the specific types of malicious files seen downloaded in this incident, including:
    • .zip attachments
    • .wsf attachments
    • .html attachments
    • .xslm attachments
    • .pdf attachments
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Anomalous scheduled tasks and files stored in seemingly incongruous folders, such as a music folder, can be detected with behavior-based alerting methods – as we saw with this incident.
• Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
  • In this incident, the AsyncRAT malware variant can record keystrokes, which in turn can be used to steal passwords that can be used to conduct additional malicious activities. Using secure password managers can help prevent credentials from being stolen and accounts being accessed by malicious threat actors.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
  • Threat actors often deploy scripts on a targeted environment to conduct malicious activity, such as Visual Basic file in this incident that was used to read the text contents of another file and execute commands in memory.
  • Restricting the ability to conduct this type of activity can help limit a threat actors ability to complete an attack.

Lumma Stealer is a malware-as-a-service (MaaS) that has been advertised on cybercriminal forums since at least 2022. Lumma Stealer is capable of targeting (8):

• Cryptocurrency wallets,
• Browser extensions,
• MFA instances, and
• Other sensitive data from the compromised system.

Information stealers such as Lumma Stealer are an attractive malware choice for threat groups, due to their ability to use and / or exfiltrate gathered information for profitable gain.

As infostealers in general – and Lumma Stealer specifically – is offered on multiple cybercriminal forums and therefore used by multiple threat actors, post-incident attribution as to which group used this malware in this incident is more difficult.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use infostealer malware such as Lumma Stealer over the next 12 months.

The APG’s assessment is based on external incident reports detailing the deployment of the Lumma Stealer malware. For example:

• In May 2024, eSentire security researchers reported an incident where a threat actor used fake update instances to deliver malware, including Lumma Stealer (9).
  • The victim user visited an infected webpage that contained malicious JavaScript code.
  • The code then directed the victim to the fake update page, that included a download link to a ZIP archive that automatically downloaded onto the victim’s device.
  • The final payload was reportedly BitRAT and/or Lumma Stealer.
• In July 2024, CrowdStrike security researchers reported a phishing domain that impersonated CrowdStrike and delivered malicious ZIP and RAR files containing a Microsoft Installer (MSI) loader (10).
  • The loader then reportedly executed Lumma Stealer packed with CypherIt.

Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of infostealer malware – including Lumma Stealer – in your environment.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
  • Analysis of the incident observed this week indicated that the initial access vector was via a downloaded file, which may have been avoided with regular and effective end user security training.
• Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.
  • Threat actors previously delivered malware, such as the information stealer in this incident, via fake updates and social engineering campaigns that lead victims to malicious websites. A software center with the real version of the faked malware lure might have prevented this incident altogether.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Behavior-based techniques can help identify when a legitimate Windows utility, such as mshta.exe from this incident, is used in a manner that is abnormal within a victim network. Understanding where and why a Windows utility is needed can provide context to effectively determine when it is being used by threat actors.

Ransomhub ransomware is a ransomware-as-a-service (RaaS) operation that has been active since at least February 2024, with the operators reportedly taking a 10% commission from affiliates after successful ransom attempts.

Ransomhub is written in Golang and C++, according to an advertisement on a dark-web forum. Its encryptors’ asymmetric algorithm is based on x25519 and adjusted in AES256, ChaCha20, and XChaCha20 (11).

Data leak site tracking by Blackpoint’s Adversary Pursuit Group (APG) found that since February 2024, Ransomhub operators have listed 188 victims, with the majority of victims based out of North America (77) and in the Construction & Engineering (17) and Manufacturing (17) verticals.

However, Ransomhub ransomware has likely impacted more victims than those listed by its primary operators, as the data leak site does not include victims that may have paid the ransom or are otherwise omitted for other reasons known only to the criminals themselves.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will almost certainly continue to use Ransomhub ransomware over the next 12 months.

We base this assessment on the APG’s tracking of data leak sites, as reported previously, as well as external incident reports detailing Ransomhub ransomware deployment. For example:

• In August 2024, Sophos security researchers reported that the Ransomhub operators were observed using an EDR-killing tool dubbed EDRKillShifter (12).
  • The researchers reported an attempted Ransomhub incident that occurred in May 2024, during which threat actors tried to use the EDRKillShifter to evade detection.
  • The identification of a newly observed tool indicates that the Ransomhub ransomware operators are likely determined and sophisticated threat actors invested in enhancing its current malware and ransomware packages, rather than creating net-new code.
• In June 2024, Symantec security researchers reported that the Ransomhub operation is likely related to the Knight ransomware operation (13).
  • Knight operators purportedly sold their encryptor.
  • Subsequent analysis of the Ransomhub ransomware variant has led security researchers to believe that Ransomhub was likely created by a skilled and sophisticated threat actor updating the Knight encryptor for their own personal ransomware outfit.

Blackpoint’s APG recommends the following remediations of mitigations of threat actor use ofRansomhub Ransomware in your environment.

• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Behavior-based triggers and alerts can help identify threat actor actions, such as the netscan execution and lateral movement activities seen during this incident, thereby stopping an incident prior to network encryption.
• Establish effective VPN and firewall rules and configurations, including restricting access to port 3389, blocking RDP traffic between network security zones, and proper LDAP configurations.
  • VPNs that are configured incorrectly, such as using misconfigured LDAP (which sends traffic in cleartext), can allow threat actors to access credentials for later log-ins to legitimate accounts – as we saw during this incident analysis.
  • Additionally, publicly exposed VPN instances allow the threat actors to further abuse the configuration, accessing user accounts and moving laterally through an environment’s network – again, as we saw attempted during this incident.
• Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
  • If threat actors are able to gain access to hashes or cleartext credentials, as they did during this incident, having MFA enabled can help provide an additional level of authentication to protect user accounts.
• Create and maintain data backups, including offline backups that are kept separate from the network and system. Should your system suffer a lockout from a ransomware attempt, your uncorrupted and easily reinstated data backups become a key part of your business continuity plan to resume regular operations.

1. MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
2. Trend Micro’s Blog: “New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware” by Daniel Lunghi; Jaromir Horejsi on 2022-04-27
3. Cyberint’s Blog: “Credentials And Control Go Bye, Bye, Bye with AsyncRAT: What You Need to Know” by Adi Bleih on 2024-05-05
4. Blackpoint Cyber’s Blog: “SYS01 Stealer, Ratty RAT, and AsyncRAT” by Blackpoint Cyber on 2024-07-26
5. ConnectWise’s Blog: “Monthly Threat Brief: July 2024” by Bryson Medlock on 2024-08-19
6. ReliaQuest’s Blog: “5 Malware Variants You Should Know” by Hayden Evans on 2024-08-15
7. VirusTotal’s Repository: “f734e1c89a5f9279e6f45ca6fcc85d4ae231995715b11203b0e31f4fcd2bc150” by VirusTotal on 2024-08-18
8. DarkTrace’s Blog: “The Rise of the Lumma Info-Stealer | Malware-as-a-Service” by Emily Megan Lim on 2023-09-06
9. eSentire’s Blog: “Fake Browser Updates delivering BitRAT and Lumma Stealer” by eSentire Threat Response Unit on 2024-05-29
10. CrowdStrike’s Blog: “Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure” by Counter Adversary Operations on 2024-07-24
11. Forescout’s Blog: “Analysis: A new ransomware group emerges from the Change Healthcare cyber attack” by Forescout Research – Vedere Labs on 2024-05-09
12. Sophos’s Blog: “Ransomware attackers introduce new EDR killer to their arsenal” by Andreas Klopsch on 2024-08-14
13. Symantec’s Blog: “RansomHub: New Ransomware has Origins in Older Knight” by Threat Hunter Team on 2024-06-05