Beware of Fake Downloads: AsyncRAT Spreads via Popular Software Cracks
In an alarming trend observed by McAfee Labs, cybercriminals have refined their tactics, luring unsuspecting users into downloading AsyncRAT malware disguised as popular cracked software. This evolving menace leverages the public’s desire for free access to premium applications, using these fake software versions as a delivery vehicle for a sophisticated remote access trojan (RAT).
AsyncRAT is designed to infiltrate systems under the guise of legitimate software. Recent campaigns discovered by McAfee have seen the malware masquerading as widely-used tools like CCleaner, EaseUS Partition Master, YouTube Downloader, and even AnyDesk. Once a user downloads and runs what appears to be a harmless application, the malware is silently executed in the background.
In one analyzed instance, a fake AnyDesk application contained a combination of genuine software and malware. By embedding the legitimate AnyDesk executable inside the malicious bundle, attackers managed to deceive even vigilant users.
Malicious Anydesk file | Image: McAfee Labs
Upon execution, the malicious AnyDesk installer initiates a series of steps designed to maintain persistence and avoid detection. By exploiting Windows Defender exclusions and utilizing obfuscation techniques, the malware ensures that it remains undetected for as long as possible. Key functions within the malware, such as AddExclusion and RunHiddenCommand, are used to modify system settings and execute malicious PowerShell scripts.
The ultimate goal of this malware is to establish a remote connection with the infected machine, granting attackers full control. Once a device is compromised, cybercriminals can execute various malicious activities, including keystroke logging, data exfiltration, and command execution, all while the victim remains unaware.
Cracked software has long been a favorite vector for malware distribution, but the surge in AsyncRAT deployments highlights how dangerous this strategy has become. According to McAfee’s telemetry data, this threat has been prevalent since March 2024, and infection rates are rising worldwide. Cybercriminals capitalize on users’ willingness to bypass legitimate licensing by offering “free” versions of premium software, only to deliver malicious payloads in the process.
A particularly clever element of AsyncRAT’s design is its use of environment variable manipulation and obfuscated bat files. These bat files are strategically hidden in AppData folders and executed with minimized visibility, ensuring that the malware’s actions remain undetected. For example, in the analyzed AnyDesk-themed attack, the bat script cleverly invokes PowerShell to continue the infection chain, setting exclusions for the C drive to avoid detection by Windows Defender.
Once inside the system, AsyncRAT establishes persistence through the creation of scheduled tasks or by adding registry keys. In one case, a task named ‘OneNote 67895’ was scheduled to execute the malware on user logins, ensuring the RAT maintained control over the system.
A task named ‘OneNote 67895’ | Image: McAfee Labs
McAfee Labs has further deobfuscated and reverse-engineered AsyncRAT’s payload, uncovering its final client payload. This payload contains features designed for anti-debugging, logging, and maintaining control of the infected device. The malware also utilizes AES decryption and Gzip decompression to hide its configuration, making it difficult to analyze or detect through conventional means.
Investigators discovered that the RAT communicates with a command-and-control (C2) server hosted at orostros.mywire.org, a dynamic DNS service. This allows attackers to issue commands to compromised systems, stealing sensitive data or manipulating devices remotely.
