SYS01 Stealer, Ratty RAT, and AsyncRAT

Ratty is an open-source JavaScript remote access trojan (RAT), available on GitHub and promoted on cybercriminal forums. Ratty RAT allows threat actors to (1):

• Run commands remotely,
• Collect system data,
• Take screenshots,
• Collect keystrokes to harvest credentials, and
• Record audio and video from infected devices.

Threat actors deploy Ratty RAT via social engineering attacks – typically phishing emails with malicious attachments.

Ratty RAT’s widespread availability and utility leads to its use by multiple threat groups, making post-incident attribution more difficult.

The APG predicts that threat actors will likely continue to deploy Ratty RAT over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, in addition to external incident reports that detail the use of Ratty RAT for persistence and harvesting sensitive data.

• In 2021, security researchers with Infoblox Threat Intel reported a social engineering campaign that resulted in Ratty RAT deployment (1).
  • The malicious emails appeared to contain shipping instructions and included a .jar attachment.
• In 2024, eSentire security researchers reported a tax-themed phishing campaign that deployed Ratty RAT (2).
  • The phishing email ultimately distributing Ratty RAT contained a malicious .zip attachment with a JAR payload.
  • Threat actors then attempted to gain persistence using Ratty RAT via Startup and Registry Run Keys.

Blackpoint’s APG recommends the following actions to help mitigate the deployment of Ratty RAT.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Regularly audit and both environment and endpoints, which includes monitoring java and javaw processes. Ratty RAT has a proven history of using these processes, and abnormal use could indicate malicious activity.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
• Operate from a zero trust mentality, which assumes that all requests to each resource are malicious unless proven and authenticated otherwise, and embodies aggressive and continuous monitoring and management.

Active since 2019, AsyncRAT is another frequently used remote access trojan (RAT) whose capabilities include but are not limited to (3):

• Capturing keystrokes on the victim’s machine,
• Gaining persistence via scheduled tasks,
• Viewing the endpoint’s screen, and
• Examining running processes

In a new joint cybersecurity advisory released on July 25, 2024 (12), the FBI and CISA (among other organizations) list AsyncRAT as one of several “commodity malware” tools deployed by North Korean threat actor groups.

Note, however, that the APG does not attribute this incident as specifically carried out by any North Korean threat group, as “[the] use of publicly available malware enables the [North Korean threat] actors to conceal and obfuscate their identities and leads to attribution problems” (12).

The APG predicts that threat actors will likely continue to deploy AsyncRAT for persistence over the next 12 months.

We base this assessment on numerous Active SOC-observed attacks within Blackpoint-protected environments, including other publicly analyzed attacks on:

• A Financials partner on July 15, 2024 (4)
• An Industrials partner on June 13, 2024 (5); and
• A Healthcare partner on April 22, 2024(6).

In addition to the APG’s own internal analysis, external researchers often discover and observe AsyncRAT in their incident reporting, including:

• In February 2024, Red Canary researchers reported that AsyncRAT was tied for the 7th most frequently observed malware within their customer environments for the month of January 2024 (7).
  • The researchers reported that 3LOSH – a crypter frequently used to package and deliver RATs – delivered AsyncRAT.
• In June 2024, ConnectWise researchers reported AsyncRAT as the top malware variant observed within their client’s environments (8). Researchers reported that the AsyncRAT malware is:
  • Written in .NET,
  • Used by multiple threat groups, and
  • “Revered” for its customizability and evasion techniques.

Blackpoint’s APG recommends the following actions to help mitigate AsyncRAT infections.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors.
• Require the use of secure password managers and disable the storage of plaintext passwords and local password caching, making password access more difficult.
• Minimize the use of – or implement strict controls on – the use of scripting languages. Restricting script use for users who should not be conducting this type of activity for regular business operations can limit a threat actors’ ability to deploy malicious scripts on compromised user instances.
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities associated with malware.

SYS01 Stealer (AKA Album Stealer, S1deload Stealer) is an information stealer that has been active since 2022. The malware was originally written in C#, while newer versions are written in PHP (9).

Threat actors often deploy SYS01 Stealer malware via phishing emails with malicious attachments and fake Facebook profile pages that lure victims into clicking a link. The malware then attempts to gain persistence via Registry Run Keys and scheduled tasks.

When deployed on a victim’s machine, the SYS01 Stealer malware collects information, including:

• System information, such as model/manufacturer;
• Stored credentials;
• Browser data; and
• Facebook data.

The APG predicts that threat actors will likely continue to deploy SYS01 Stealer for credential access over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, as well as external reporting related to the use of SYS01 Stealer for credential access and collection of sensitive data.

• In March 2023, Morphisec researchers reported a SYS01 Stealer campaign targeting government and manufacturing entities (10).
  • This campaign reportedly began with luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file.
• In July 2024, Trustwave security researchers released details of a new SYS01 Stealer (11). This new malware version can:
  • Take over Facebook accounts,
  • Steal credential information, and
  • Leverage legitimate accounts to further spread the malware.

Blackpoint’s APG recommends the following actions to help mitigate the deployment of the SYS01 Stealer.

• Require the use of secure password managers and disable the storage of plaintext passwords and local password caching, making passwords access more difficult for credential stealers such as SYS01.
• Conduct employee security awareness training, covering how users can:
  • Spot a phishing email,
  • Recognize suspicious ads, and
  • Avoid malicious and suspicious posts/links on social media.
• Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
• In addition to MFA requirements, organizations can implement and enforce VPNs where feasible, to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.

1. Infoblox’s Blog: “FAKE SHIPPING EMAILS DELIVER RATTY RAT” by Avinash Shende on 2021-08-27
2. eSentire’s Blog: “Beware the Bait: Java RATs Lurking in Tax Scam Emails” by eSentire Threat Response Unit on 2024-02-26
3. MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
4. Blackpoint Cyber’s Blog: “CrowdStrike BSOD Help, Advanced IP Scanner, TeamViewer, NetSupport RAT, & AsyncRAT” by Blackpoint Cyber on 2024-07-19
5. Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Blackpoint Cyber on 2024-06-21
6. Blackpoint Cyber’s Blog: “RATs, Malicious PC Hunter, AnyDesk Abuse, and Malicious PowerShell Scripts” by Blackpoint Cyber on 2024-04-26
7. Red Canary’s Blog: “Intelligence Insights: February 2024” by The Red Canary Team on 2024-04-30
8. ConnectWise’s Blog: “Monthly Threat Brief: June 2024” by Bryson Medlock on 2024-07-22
9. Trustwave’s Blog: “Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01” by Trustwave SpiderLabs on 2024-07-15
10. Morphisec’s Blog: “How SYS01 Stealer Will Get Your Sensitive Facebook Info” by Arnold Osipov on 2023-03-07
11. Trustwave’s Whitepaper: “Facebook Malvertising Epidemic” by Trustwave SpiderLabs on 2024-07-15
12. Federal Bureau of Investigation (FBI)’s Joint Cybersecurity Advisory: “North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs” by The Department of Justice, the Cyber National Mission Task Force, CISA, DoD Cyber Center, NSA, National Inteligence Service, Korean National Police Agency, and the National Cyber Security Centre on 2024-07-25