New Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers

Looking for indicators in order to detect C2 servers of the QuasarRAT family is nothing particularly new. Up to now, two main approaches are already known: It is trivial to identify QuasarRAT/AsyncRAT/DcRAT/VenomRAT when default TLS certificates are used. Then, we can look at the certificate’s Subject/Issuer CN which directly gives us the information we look for. E.g., for AsyncRAT, Issuer CN and Subject CN are AsyncRAT Server. This approach has been explained in various reports and blog posts.

READ MORE