Skip to content

Fileless Malware Attack: AsyncRAT Exploits ConnectWise ScreenConnect

AsyncRAT's fileless nature and use of legitimate tools make it hard to detect. The attack highlights the need for robust, adaptive cybersecurity measures.

In this image there are two laptops kept on the wooden table. In the background there is a bunch of...
In this image there are two laptops kept on the wooden table. In the background there is a bunch of file and hand of a person working on a laptop which is on the left side. On the right side laptop there is a screen window which is written D-link airplus g.

Fileless Malware Attack: AsyncRAT Exploits ConnectWise ScreenConnect

Cybersecurity experts have discovered a complex fileless malware attack, involving AsyncRAT, which has been exploiting ConnectWise ScreenConnect for unauthorized access and data theft. The malware, delivered via multi-layered VBScript and PowerShell loaders, has proven stealthy and effective in evading modern malware protection.

The attack begins when a ScreenConnect client is compromised, and a malicious domain is employed. The initial payload, Obfuscator.dll, establishes persistence on the system and disables defense mechanisms such as Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).

The loaders, including VBScript and PowerShell scripts, then fetch and execute the main payload, AsyncClient.exe, directly in memory, bypassing disk writes. AsyncClient.exe, the C2 engine, gathers system data, monitors user activity, and exfiltrates sensitive information. It maintains persistence via scheduled tasks and uses a custom protocol for command and control (C2) communication. This fileless malware, like AsyncRAT, continues to evade malware protection due to its stealthy nature and use of legitimate system tools.

The AsyncRAT attack, facilitated by the compromise of ConnectWise ScreenConnect, underscores the evolving threat landscape. The use of fileless malware, multi-layered loaders, and legitimate tools for illicit purposes highlights the need for robust, adaptive cybersecurity measures. Further investigation is ongoing to mitigate the impact of this attack and prevent future malware incidents.

Read also:

Latest