Network Forensic Analysis of a Multi-Stage Async RAT Infection Chain

Abstract

This study investigates the complete infection chain of a multi-stage malware attack culminating in the deployment of the Async Remote Access Trojan (RAT). The primary objective is to identify critical stages of the infection process and derive Indicators of Compromise (IoCs) that can inform effective detection and prevention strategies. Contemporary malware increasingly employs sophisticated delivery mechanisms to evade conventional security defenses, presenting significant challenges for analysts due to multi-stage execution, obfuscation, and covert communication channels. A controlled virtual environment was established to safely execute and monitor the malware sample. Utilizing the Wireshark protocol analyzer and host-based artifact collection, the infection was traced from an ISO disk image file to a Windows Script File (WSF) loader. The analysis revealed a two-stage network communication process: an initial connection to a staging server for payload retrieval, followed by the establishment of an encrypted TLSv1.0 channel to a dynamic DNS-based Command and Control (C2) server operating on a non-standard port. The findings provide distinct IoCs, including network signatures and host-based traces, that can be leveraged for proactive defense. This research demonstrates that Async RAT infections rely on layered delivery mechanisms and encrypted communication channels to bypass detection. The identified IoCs offer actionable intelligence for security practitioners, contributing to the development of robust detection and mitigation strategies against evolving malware threats.