Censys ARC Flash Episode 3: AsyncRAT and FortiBleed

Censys ARC Flash

In Episode 3 of Censys ARC Flash, Principal Security Researcher Silas Cutler and Senior Security Researcher Aidan Holland discuss recent research into AsyncRAT malware variants, emerging findings around the FortiBleed campaign targeting FortiGate devices, and what defenders should know about modern malware ecosystems.


Silas:
Hi my name is Silas Cutler. I’m a principal researcher here at Censys and today I’m joined by Aidan Holland as well.

Aidan:
Hi there. I’m a senior security researcher here at Censys, and I focus mostly on malware reverse engineering. Really excited to get to talk to you guys today.

Silas:
Fantastic. So today we’ve got two things on the agenda. We’re gonna talk about AsyncRAT and the reporting that Aidan’s done recently. And then we’re gonna round out with talking about FortiBleed and the case that started mid June and seems to continue on.

All right, let’s dive right in. So Aidan, what was it, last week that you published on AsyncRAT? And I think this is the second post you’ve had on AsyncRAT. Tell us about what you found.

Aidan:
Sure. For sure. So AsyncRAT’s kind of a funny one. For those who are not familiar, it’s posted on GitHub, it’s open source, it’s everywhere, it’s written in .NET you know, it’s pretty present, pretty accessible, which makes it a great target for people to white label and rebrand and sell in the various forums. So we kind of spent the time of tracking down like, what are all the different variants? Where do they live and what are they called? I think we found close to 40 variants at the end. But yeah, it just absolutely exploded.

Silas:
Yeah, I mean it was a great report. And one of the things — and just a quick call out that we have a resources section in the Zoom webinar that you can click and it has a link to this blog and the Fortinet one for people to review. And I called out ’cause there’s a chart actually that you did for this blog which outlined all of the different families. This is huge.

Aidan:
Yeah. And I mean honestly, some of these names are entirely ridiculous. ShiningForceRAT, you know, like I don’t even know how you come up with these. But yeah, it kind of shows exactly what we can see, what we can’t see. And honestly, a lot of the ones that we can’t see are probably just not rebranded very well. So it’s just probably gonna show up as basic AsyncRAT. So it’s really cool to be able to see all the different components.

Silas:
Super cool. So for each of these variants, are you seeing changes in like the underlying network structure or what are actually defining these variants?

Aidan:
Yeah, I think there are one or two that actually did change their network protocol, but I think they really just added some more buffers, maybe did an extra XOR or whatever. But ultimately they are all identical in the network protocol. The only thing that’s really different is these TLS certs. And so they keep using the same country of China. I think it’s, what is it, the SH — I think it’s Shanghai. But yeah, in every cert. And so you’re like, okay, it’s kinda easy, and then it literally says like RAT server. So it’s like, okay, that’s kinda weird if there’s another RAT server coming out of the same certificate.

Silas:
Yeah. I mean it sounds like it’s a similar type of thing, I feel like, to what people saw years ago with like njRat and Phantom Worm and a couple of those other ones. So there’s always been this cool history to see repeating itself with these proliferations of .net families. And this is also an odd one ’cause it’s one of the — it’s not legacy by any means, but they still rely upon a a desktop application for driving the malware.

Aidan:
Yeah, and it really sends people to Windows RDP too. So they they get these anonymous RDP boxes and then you have to manage an entire Windows ecosystem to spin this up. It’s quite different than what we’re seeing with stuff like Sliver or Havoc, where it’s a single Go binary you can throw anywhere, you know? It’s kinda it’s more involved and it’s harder to secure because it’s just more in and out.

Silas:
Yeah. I mean it’s slightly challenging because you’re not gonna find the web panels for it, but it’s still something that’s worthwhile to hunt on.

Aidan:
Absolutely. Yeah. And I’d be remiss not to call out like it is a child of Orcus RAT and the some of those previous Quasar RATs. It’s all the same ecosystem. I think it’s even written by one of the same guys who’s a contributor of the original one and forked off.

AsyncRAT family tree. Read the full article

Silas:
That’s super cool. And there’s also a version that’s called Gh0st RAT, but that one is different than the traditional Gh0st RAT.

Aidan:
Correct. Yeah. There’s the 2006 Gh0st RAT that was, you know, I think it was Southeast Asian related. And then there’s this new one, which I think they were really just taking advantage of: all right, when someone Googles Gh0st RAT, it goes, “Yeah, the 2006 one and not the new one,” which we see a ton with the the Gh0sts or the you know, the different core names.

Silas:
yeah. And Gh0st RAT was pretty iconic. It was back in the early APT scene in the early 2010s, like Gh0st RAT and Poison Ivy were major players and Gh0st RAT had that iconic like G-H-0-S-T as part of its like actual check in request, which was pretty iconic in the snort rules.

Aidan:

And that one — so we actually do have a custom scanner for the original Gh0st RAT, which we were seeing some hits for up until I think about 2023, where it entirely dropped off and it just — yeah, we couldn’t find anything that was, they might have changed it or, you know, tweaked it a little bit, or it just died.

Silas:
So with Poison Ivy, that was one that felt like it truly died because when Microsoft started enforcing kernel driver signing, Gh0st — or Poison Ivy at least — had a kernel, a root kit that it would deploy that had to be — or wasn’t signed, and so it would fail when being loaded into a kernel. And that kind of was the end game for that malware.

Aidan:
Yeah, hard to come back from that. No, that’s great. Cool.

Silas:
Let’s jump into FortiBleed

Aidan:
Perfect. Yeah. I was just going to ask you what your thoughts were and you know, what were your takeaways from this?

Silas:
Yeah, so this was a really interesting case. Like this popped up mid-June. I think it was originally found the from the blogs I’ve dug through, like Bob Diachenko posted about it on LinkedIn. I think he was the first one to identify it based on open web directory crawling from hunt.io. And then Kevin Beaumont, Hudson Rock, and a couple of others got involved in the actual review of the data.

We put out our own advisory as well. This was an interesting one, and was really excited to see this one come out. It’s the first one done by Kramer [Matthew Kramer is one of the newest Censys ARC researchers].

Fortibleed advisory map. View full Censys ARC advisory

Silas:

So it was really fantastic report. And like we we looked at what the exposure was and saw a pretty similar set of things, but unfortunately we didn’t capture the open web directory data. So a little bit of a blind spot to it. But the piece that I’ve been looking at over the past couple days is Orca Security put out their own follow-on blog post. And I’ll make sure the link gets included in like the show notes. They didn’t provide a lot of evidence, but they noted a couple of interesting things. One, which was potentially a tool called FortiGate Sniffer, which I’m really interested to dig into more. I haven’t found a copy yet. So if anyone finds a copy, my DMs are open. But then also a connection from this campaign to INC and Lynx ransomware, which is always — I’m always a little tepid about those things just because I don’t want, I don’t ever like the connection of like, this campaign was exclusively done by this ransomware group because I feel like we try and apply the same model that we did for a lot of espionage groups where it’s like, they have an office and they come in at nine to five. Their attacks are governed by Jira.

Aidan:
But now the exploit kit is all around, truthfully. I’m sure it’s been shared to several different groups by this point.

Silas:
Definitely. In a lot of these cases, the affiliates are the ones that really have the power. So, it might be a couple of affiliates that are passing it around amongst each other. Interestingly, back in, I think it was 2023, I did a report actually on an open web directory that I found with some Akira affiliates and their whole Fortigate or Fortinet targeting toolkit. So it is really interesting to see because especially when looking at these types of data where you have an organized group going after like, a VPN appliance, a lot of times you’ll see data that’s from one exploit that’s waiting to be connected with a second exploit and used in order to fully gain access to systems. Because for some of these it’s actors chaining one low-risk vulnerability with a medium to another medium to eventually triggering a full exploit chain of something high.

Aidan:
Sure. So for this one, what type of vulnerabilities are like, you know, we got a lot of questions about this one where it’s like, how can we track this and, you know, what vulnerabilities are involved?

Silas:
Yeah. So I’ll actually recommend taking a step back slightly from it and not necessarily worrying about the vulnerabilities specifically that are being targeted. It’s that this is becoming a standing capability to be able to conduct these attacks as new vulnerabilities start to come into play. Having that organized, that full pipeline of: we can identify the devices, we can then push them through an exploitation pipeline and then move that into something where it’s ready for human operators or someone else to go and actually do the legwork. Having that level of organization maturity is a worrisome thing. But it’s what happens also when threat actors start to become highly sophisticated.

Aidan:
Yeah. So I’m sure the question on everybody’s mind is like, were there any Claude or Anthropic footprints in this kit? What was your view on that?

Silas:
So I haven’t seen a copy of the open web directory data yet. So I’m not totally sure yet, but I’m very interested to dig into it more. The one piece that I have been looking at as well, and actually also from the Orca Security blog is: there was a C2 server that they flagged as tied to some of this activity. And oddly, it was running OpenFlow a few weeks ago and I’m still not quite sure what that was, but it’s a mystery to still run down.

Aidan:
Yeah, we’ll have to look at that.

Silas:
So, one last piece I wanted to call out for for this case. Something that Hudson Rock is doing that I think is a really cool initiative is they’ve set up a essentially a self-service victim notification panel. So there’s a couple models for how to do — if you’re in a situation like this where, you know, you find open web directory, you see seventy, eighty thousand infected systems and you need to do bulk notification. This is a really hard problem without law enforcement.

And I’m really excited to see Hudson Rock take this approach of doing a sort of self-service victim notification portal where you could go to their website, put some information in and they will relay back if you are potentially compromised and what data is exposed. Allison Nixon in Unit 221B did this years and years ago with ExchangeGate. I did it with 3CX, and there’s been a couple of other projects like this since. And I’m really excited to see this defender doctrine kind of advance a little bit.

Aidan:
Yeah, honestly there are plenty of times where I wish I had that tool, either when we were doing like, ICS notifications or any of that. Like, please tell me who this really belongs to.

Silas:
So I think it’s also a good model as well for doing victim notification because if you’re cold calling companies, it’s a very difficult process because you need to convey something that is hyper technical to sometimes like a c-level audience and trying to be like, “I have this open web directory to show you” does not land well. But having something where folks can read about it, they can verify, hey, this is a problem. I’ve heard about this this FortiBleed going on. How do I find out if I’m impacted? I can just go to this website and carefully choose what I want to share and make that decision myself. I think that leads to better outcomes.

Aidan:
No, that’s great. I know the couple of times that we’ve called or emailed folks, they’ve been like, “Who are you? Why have you contacted us? Did you hack us?” No, we’re trying to alert you that somebody else might potentially compromise it. It’s always a headache. So that sounds like a really interesting tool.

Silas:
Have you been reading the opt-out emails again?

Aidan:
What? Never!

Silas:
All right. I think that’s all we’ve got for today.

Watch the Next Episode Live: August 12

Censys ARC Flash goes live once a month. Sign up to sit in on the next episode when it airs on August 12th to get the latest cybersecurity intelligence and ask your questions live.

Register Now

References