Threat Intelligence

AsyncRAT deployed via ConnectWise ScreenConnect exploitation

Laptop computer displaying logo of ConnectWise, a software developer based in Tampa, Florida, United States

Malicious actors have leveraged the ConnectWise ScreenConnect remote monitoring and management tool to distribute the AsyncRAT trojan as part of a new attack campaign, according to Security Affairs.

After achieving remote access through a hacked ScreenConnect client, attackers launched a VBScript that ran commands to retrieve and execute a pair of payloads, with 'logs.ldk' being converted into a byte array and 'logs.ldr' being passed to the Main() method, leading to the execution of AsyncClient.exe or AsyncRAT's primary command-and-control engine, a LevelBlue report revealed.

AsyncClient not only enables AES-256-based configuration decryption, command parsing, and C2 communications, but also allows keylogging, sensitive data exfiltration, and persistence.

"Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate," said LevelBlue researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds