Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.
“The attacker used ScreenConnect to gain remote access, then executed a layered VBScript and PowerShell loader that fetched and ran obfuscated components from external URLs,” LevelBlue said in a report shared with The Hacker News. “These components included encoded .NET assemblies ultimately unpacking into AsyncRAT while maintaining persistence via a fake ‘Skype Updater’ scheduled task.”
In the infection chain documented by the cybersecurity company, the threat actors have been found to leverage a ScreenConnect deployment to initiate a remote session and launch a Visual Basic Script payload via hands-on-keyboard activity.
“We saw trojanized ScreenConnect installers masquerading as financial and other business documents being sent via phishing emails,” Sean Shirley, LevelBlue MDR SOC Analyst, told The Hacker News.
The script, for its part, is designed to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from an attacker-controlled server by means of a PowerShell script. The first of the two files, “logs.ldk,” is a DLL that’s responsible for writing a secondary Visual Basic Script to disk, using it to establish persistence using a scheduled task by passing it off as “Skype Updater” to evade detection.
This Visual Basic Script contains the same PowerShell logic observed at the start of the attack. The scheduled task ensures that the payload is automatically executed after every login.
The PowerShell script, besides loading “logs.ldk” as a .NET assembly, passes “logs.ldr” as input to the loaded assembly, leading to the execution of a binary (“AsyncClient.exe”), which is the AsyncRAT payload with capabilities to log keystrokes, steal browser credentials , fingerprint the system, and scan for installed cryptocurrency wallet desktop apps and browser extensions in Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.
All this collected information is eventually exfiltrated to a command-and-control (C2) server (“3osch20.duckdns[.]org”) over a TCP socket, to which the malware beacons in order to execute payloads and receive post-exploitation commands. The C2 connection settings are either hard-coded or pulled from a remote Pastebin URL.
“Fileless malware continues to pose a significant challenge to modern cybersecurity defenses due to its stealthy nature and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, fileless threats operate in memory, making them harder to detect, analyze, and eradicate.”
