Cybersecurity researchers reveal details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) software, delivering a meatless loader that drops a remote access Trojan (RAT), called Asyncrat, to steal sensitive data from a reduced-down host.
“The attacker used ScreenConnect to gain remote access and ran a layered VBScript and PowerShell loader that retrieves and runs obfuscated components from external URLs,” LevelBlue said in a report shared with Hacker News. “These components are encoded .NET assemblies that are eventually deactivated to Asyncrat, while maintaining persistence via fake ‘Skype Updater’ scheduled tasks. ”
The infection chain documented by cybersecurity companies has shown that threat actors leverage the deployment of Screen Connect to launch remote sessions and start visual basic script payloads via keyboard activity.
“We’ve seen a Trojan screenconnect installer disguised as financial and other business documents sent via phishing emails,” Leadblue MDR SOC analyst Sean Shirley told Hacker News.
The script is designed to use PowerShell scripts to retrieve two external payloads (“logs.ldk” and “logs.ldr”) from the attacker control server. The first of the two files is a DLL that is used to establish persistence using scheduled tasks by writing a secondary visual basic script on disk and by avoiding detection as “Skype Updater” and establishing saves using disks.
This visual basic script contains the same PowerShell logic observed at the start of the attack. Scheduled tasks ensure that the payload will run automatically every time you log in.
In addition to loading “logs.ldk” as a .NET assembly, the PowerShell script is passed as input to the load assembly, leading to the execution of the binary (“asyncclient.exe”). Browser extensions for Google Chrome, Brave, Microsoft Edge, Opera, and Mozilla Firefox.
All this collected information will eventually be extended to the Command and Control (C2) server (“3osch20.duckdns”[.]org”) via TCP socket, a malware beacon uses a beacon to perform a payload and receive commands after explosion. C2 connection settings are hardcoded or extracted from the remote path pebin URL.
“Fireless malware continues to pose major challenges to modern cybersecurity defenses due to its stealthiness and reliance on legitimate system tools for execution,” LevelBlue said. “Unlike traditional malware that writes payloads to disk, indelible threats work in memory, making them difficult to detect, analyze and eradicate.”
Source link
