A Bag of RATs: VenomRAT vs. AsyncRAT

A Bag of RATs: VenomRAT vs. AsyncRAT

Introduction

Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. These are open-source RATs and have been making headlines for their frequent use by different threat actors, including Blind Eagle/APT-C-36, Coral Rider, NullBulge, and OPERA1ER. Both RATs have their roots in QuasarRAT, another open-source project, which explains their similarities. However, as both have evolved over time, they have diverged in terms of functionalities and behavior, which affects how attackers use them and how they are detected.


Interestingly, as these RATs evolved, some security vendors have started to blur the line between them, often grouping detections under a single label, such as AsyncRAT or AsyncRAT/VenomRAT. This indicates how closely related the two are, but also suggests that their similarities may cause challenges for detection systems. We took a closer look at recent samples of each RAT to examine how they differ, if at all.

This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics.

Here's a comparison table between VenomRAT and AsyncRAT based on the findings


Capability
VenomRAT
AsyncRAT
AMSI Bypass
✔ Patches AmsiScanBuffer in amsi.dll (In-memory patching) T1562.001
✘ Not implemented
ETW Bypass
✔ Patches EtwEventWrite in ntdll.dll (In-memory patching) T1562.006
✘ Not implemented
Keylogging
✔ Advanced keylogger with filtering and process tracking T1056.001
✔ Basic keylogger with clipboard logging T1056.001
Anti-analysis Techniques
✔ Uses WMI for OS detection, VM check T1497.001
✔ VM, sandbox, and debugger detection T1497
Hardware Interaction
✔ Collects CPU, RAM, GPU, and software data using WMI T1082
✔ Collects system data via Win32_ComputerSystem T1082
Process discovery
✔ This the capability to obtain a listing of running p ..

Support the originator by clicking the read the rest link below.