Protobuf-net Asymmetric Client–RAT Protocol
Overview
A .NET remote-access trojan (RAT) communication pattern using protobuf-net as the serialization layer over an asynchronous TCP socket. The server acts as a listener; the client initiates an encrypted TLS-wrapped TCP connection and exchanges strongly-typed message objects (e.g., DoShellExecute, GetPasswords, GetSystemInfo) rather than raw byte streams or HTTP.
Detection / Fingerprint
- Embedded library string:
protobuf-net, Version=2.4.0.0(or similar) in unobfuscated .NET PEs ^[raw/analyses/0347df428374/0347df42report.md] - Message namespace patterns like
Quasar.Common.Messages.<Action>orAsyncRAT.<Action> - Capability hits from capa:
create TCP socket,send data,receive data, plus .NET process creation and WMI references
Implementation Patterns
- Server: .NET WinForms GUI (Quasar builder) or headless console (AsyncRAT)
- Client: Identical .NET assembly compiled with the same message model DLL
- Framing: Protobuf-net serializes each message with a length-prefix, sent over raw TCP; optionally wrapped in TLS via BouncyCastle or SslStream
- Encryption: Per-message AES or TLS depending on variant; no HTTP layer
Reproduce on Your Own VMs
- Install Visual Studio with .NET Framework 4.8 workload.
- Clone Quasar or AsyncRAT open-source repo.
- Build both Client and Server projects.
- Run the server on a VM, note the listener port.
- Build the client with the server IP/port configured.
- Execute the client on a second VM and observe TCP handshake + protobuf message exchange in Wireshark (expect TLS Application Data).
Defensive Countermeasures
- Network: block outbound TCP to non-standard ports if not expected; look for TLS handshakes with low-entropy SNI or none at all.
- Endpoint: capa + YARA on the
.textsection forprotobuf-netand message-type class names. - Host: monitor for
Client.exeprocesses withQuasarorAsyncRATversion-info fields.
Pages Where Observed
- quasar
- asyncrat
- messagepack-asynchronous-rat-protocol — parallel MessagePack variant used by AsyncRAT specifically.