Fileless Malware Attack: AsyncRAT Exploits ConnectWise ScreenConnect
Cybersecurity experts have discovered a complex fileless malware attack, involving AsyncRAT, which has been exploiting ConnectWise ScreenConnect for unauthorized access and data theft. The malware, delivered via multi-layered VBScript and PowerShell loaders, has proven stealthy and effective in evading modern malware protection.
The attack begins when a ScreenConnect client is compromised, and a malicious domain is employed. The initial payload, Obfuscator.dll, establishes persistence on the system and disables defense mechanisms such as Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
The loaders, including VBScript and PowerShell scripts, then fetch and execute the main payload, AsyncClient.exe, directly in memory, bypassing disk writes. AsyncClient.exe, the C2 engine, gathers system data, monitors user activity, and exfiltrates sensitive information. It maintains persistence via scheduled tasks and uses a custom protocol for command and control (C2) communication. This fileless malware, like AsyncRAT, continues to evade malware protection due to its stealthy nature and use of legitimate system tools.
The AsyncRAT attack, facilitated by the compromise of ConnectWise ScreenConnect, underscores the evolving threat landscape. The use of fileless malware, multi-layered loaders, and legitimate tools for illicit purposes highlights the need for robust, adaptive cybersecurity measures. Further investigation is ongoing to mitigate the impact of this attack and prevent future malware incidents.